Search giant says it will no longer recognise certificates issued by CNNIC
Search giant Google will no longer recognise security certificates issued by the official China Internet Network Information Centre (CNNIC) following what experts called a “major breach of public trust and confidence”.
CNNIC, which is responsible for internet affairs under the Ministry of Industry and Information Technology, responded to Google’s announcement with a defence of its practices, calling the move “unacceptable”.
Last month, CNNIC issued security certificates for a number of domains, including Google’s, without their permission. Security certificates are akin to a website or online service’s fingerprint, and tell a browser whether it can be trusted. By issuing unapproved certificates, CNNIC risked compromising the encryption protocols used to protect users of email services and other secure websites.
“CNNIC is included in all major root stores and so the misissued certificates would be trusted by almost all browsers and operating systems,” Google said in a statement.
Chinese officials told Google they had contracted Cairo-based MCS Holdings to issue the certificates. MCS said it would only issue certificates for domains it had registered.
“However, rather than keep the private key in a suitable [hardware security module], MCS installed it in a man-in-the-middle proxy. These devices intercept secure connections by masquerading as the intended destination and are sometimes used by companies to intercept their employees’ secure traffic for monitoring or legal reasons,” Google said.
Tom Lowenthal, a security and surveillance expert at the Committee to Protect Journalists, said the Chinese move marked a “major breach of public trust and confidence”. “The deliberate breach had the potential to seriously endanger vulnerable users, such as journalists communicating with sources,” he wrote.
On Wednesday, Google said that “as a result of a joint investigation of the events surrounding this incident by Google and CNNIC”, it would no longer recognise certificates issued by the Chinese authority.
Websites and businesses using CNNIC certificates may now be flagged as dangerous on Google’s Chrome browser, potentially scaring off customers.
Google said it did not believe any other certificates had been affected aside from those issued by MCS, and praised CNNIC for taking steps to improve security.
“[We] welcome them to reapply once suitable technical and procedural controls are in place,” it said.
In a response posted online on Wednesday, CNNIC said Google’s decision was “unacceptable and unintelligible” and called on the US-based company to consider user rights and interests.
“For the users that CNNIC has already issued the certificates to, we guarantee that your lawful rights and interests will not be affected,” the agency said.
Google’s move comes as US President Barack Obama issued an executive order declaring cybersecurity a “national emergency”, in the wake of a concerted attack on the open-source code repository GitHub.
Text: SCMP BY James Griffiths 02-04-2015