Google Completely Cuts Off Chinese Government's Certificate Authority, CNNIC
from the wow dept
As you may have heard, last week, Google warned about an unauthorized HTTPS certificate being issued via CNNIC (China Internet Network Information Center -- which basically manages the Chinese internet, handling domain registration, security certificates and more). CNNIC blamed an Egyptian firm MCS Holdings, saying it had allowed MCS to issue security certificates for domains it had registered, but MCS had abused that power to issue bogus certificates.Late on Wednesday, Google added a somewhat surprising update to its blog post about the matter, announcing that it was cutting off CNNIC certificates going forward:
As a result of a joint investigation of the events surrounding this incident by Google and CNNIC, we have decided that the CNNIC Root and EV CAs will no longer be recognized in Google products. This will take effect in a future Chrome update. To assist customers affected by this decision, for a limited time we will allow CNNIC’s existing certificates to continue to be marked as trusted in Chrome, through the use of a publicly disclosed whitelist. While neither we nor CNNIC believe any further unauthorized digital certificates have been issued, nor do we believe the misissued certificates were used outside the limited scope of MCS Holdings’ test network, CNNIC will be working to prevent any future incidents. CNNIC will implement Certificate Transparency for all of their certificates prior to any request for reinclusion. We applaud CNNIC on their proactive steps, and welcome them to reapply once suitable technical and procedural controls are in place.This is a pretty big deal, but the right move for Google to make. It's well known that the whole setup of security certificates is based on how much you trust the issuers of the certificates. If you can't trust the certificate authorities the whole system breaks down. This has long been a problem that is going to require a very different security model in the future. But, while we still have that system, it's of absolute importance that any breach of trust needs to be dealt with severely.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: china, fraudulent certificate, security certificates
Companies: cnnic, google, mcs holdings
Reader Comments
Subscribe: RSS
View by: Time | Thread
An NSA front that doesn't like that China spies
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
http://i.imgur.com/lld5hAg.jpg
[ link to this | view in chronology ]
So the argument is it was an accident???
[ link to this | view in chronology ]
Re: So the argument is it was an accident???
So, yes, that IS the proper response.
[ link to this | view in chronology ]
The certs signed by CNNIC shouldn't even have been usable for *.com - they have been restricted to *.cn. All certificate transparency does is let Google know the moment they're signed, but they shouldn't even be usable in the first place.
[ link to this | view in chronology ]
Re:
In the case of CAs, though, it really is a boolean thing. The trust placed in CAs is simple: that the certificates they are vouching for actually belong to the entities they claim to belong to. That's it. If a CA fails to correctly do this, the certs the CA signs cannot be trusted, period.
What the certs are used for and why faulty certs have been signed are pretty much beside the point in terms of whether the CA can be trusted.
[ link to this | view in chronology ]