Google Completely Cuts Off Chinese Government's Certificate Authority, CNNIC

from the wow dept

As you may have heard, last week, Google warned about an unauthorized HTTPS certificate being issued via CNNIC (China Internet Network Information Center -- which basically manages the Chinese internet, handling domain registration, security certificates and more). CNNIC blamed an Egyptian firm MCS Holdings, saying it had allowed MCS to issue security certificates for domains it had registered, but MCS had abused that power to issue bogus certificates.

Late on Wednesday, Google added a somewhat surprising update to its blog post about the matter, announcing that it was cutting off CNNIC certificates going forward:
As a result of a joint investigation of the events surrounding this incident by Google and CNNIC, we have decided that the CNNIC Root and EV CAs will no longer be recognized in Google products. This will take effect in a future Chrome update. To assist customers affected by this decision, for a limited time we will allow CNNIC’s existing certificates to continue to be marked as trusted in Chrome, through the use of a publicly disclosed whitelist. While neither we nor CNNIC believe any further unauthorized digital certificates have been issued, nor do we believe the misissued certificates were used outside the limited scope of MCS Holdings’ test network, CNNIC will be working to prevent any future incidents. CNNIC will implement Certificate Transparency for all of their certificates prior to any request for reinclusion. We applaud CNNIC on their proactive steps, and welcome them to reapply once suitable technical and procedural controls are in place.
This is a pretty big deal, but the right move for Google to make. It's well known that the whole setup of security certificates is based on how much you trust the issuers of the certificates. If you can't trust the certificate authorities the whole system breaks down. This has long been a problem that is going to require a very different security model in the future. But, while we still have that system, it's of absolute importance that any breach of trust needs to be dealt with severely.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: china, fraudulent certificate, security certificates
Companies: cnnic, google, mcs holdings


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Mr. Oizo, 2 Apr 2015 @ 4:42am

    An NSA front that doesn't like that China spies

    Is basically the summary of what is going on.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 2 Apr 2015 @ 4:57am

    Corporate cooperation due to coercion does not make for an effective "front". Other than opinions shared at the water cooler, is there any evidence that supports your claim?

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 2 Apr 2015 @ 5:00am

    Well that's what happens when you let the trust model break down by allowing your security to be compromised.

    link to this | view in chronology ]

    • identicon
      Michael, 2 Apr 2015 @ 6:29am

      Re:

      An I thought the end result of that was a job making millions as a security consultant.

      link to this | view in chronology ]

  • identicon
    Luc, 2 Apr 2015 @ 6:01am

    Before anybody makes any conspiracy theory comments, I can easily see China cooperating with this, if they accidentally the certificate authority, by trusting the wrong people. It's not Google or China's good faith that's at issue, it's some people who illegally acquired CNNIC's root keys, and until the CNNIC can start securely issuing certs again, this is, even from the Chinese authorities perspective, a valid security response.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 2 Apr 2015 @ 1:38pm

    So the argument is it was an accident???

    In that case, the appropriate response it to remove the CNNIC from the trusted list immediately and until certain it will not happen again, don't add them again. An accident is actually worse than malice, because at least if it was malice pressure can keep them in line, but if it was accidental, then they can not be trusted at all.

    link to this | view in chronology ]

    • icon
      Paul Renault (profile), 2 Apr 2015 @ 2:33pm

      Re: So the argument is it was an accident???

      ...already removed CNNIC from my 'trusted' list weeks ago.

      So, yes, that IS the proper response.

      link to this | view in chronology ]

  • identicon
    R, 6 Apr 2015 @ 1:33am

    The underlying problem is that we try to reduce something as complex as trust to a boolean value. Online banking and reading the news do not require the same levels of security, and the former should be subjected to higher standards and verified by multiple CAs, while I don't really care if the latter uses a self-signed cert.

    The certs signed by CNNIC shouldn't even have been usable for *.com - they have been restricted to *.cn. All certificate transparency does is let Google know the moment they're signed, but they shouldn't even be usable in the first place.

    link to this | view in chronology ]

    • icon
      John Fenderson (profile), 6 Apr 2015 @ 8:23am

      Re:

      "The underlying problem is that we try to reduce something as complex as trust to a boolean value"

      In the case of CAs, though, it really is a boolean thing. The trust placed in CAs is simple: that the certificates they are vouching for actually belong to the entities they claim to belong to. That's it. If a CA fails to correctly do this, the certs the CA signs cannot be trusted, period.

      What the certs are used for and why faulty certs have been signed are pretty much beside the point in terms of whether the CA can be trusted.

      link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.