Google Completely Cuts Off Chinese Government's Certificate Authority, CNNIC

from the wow dept

As you may have heard, last week, Google warned about an unauthorized HTTPS certificate being issued via CNNIC (China Internet Network Information Center -- which basically manages the Chinese internet, handling domain registration, security certificates and more). CNNIC blamed an Egyptian firm MCS Holdings, saying it had allowed MCS to issue security certificates for domains it had registered, but MCS had abused that power to issue bogus certificates.

Late on Wednesday, Google added a somewhat surprising update to its blog post about the matter, announcing that it was cutting off CNNIC certificates going forward:

As a result of a joint investigation of the events surrounding this incident by Google and CNNIC, we have decided that the CNNIC Root and EV CAs will no longer be recognized in Google products. This will take effect in a future Chrome update. To assist customers affected by this decision, for a limited time we will allow CNNIC’s existing certificates to continue to be marked as trusted in Chrome, through the use of a publicly disclosed whitelist. While neither we nor CNNIC believe any further unauthorized digital certificates have been issued, nor do we believe the misissued certificates were used outside the limited scope of MCS Holdings’ test network, CNNIC will be working to prevent any future incidents. CNNIC will implement Certificate Transparency for all of their certificates prior to any request for reinclusion. We applaud CNNIC on their proactive steps, and welcome them to reapply once suitable technical and procedural controls are in place.

This is a pretty big deal, but the right move for Google to make. It's well known that the whole setup of security certificates is based on how much you trust the issuers of the certificates. If you can't trust the certificate authorities the whole system breaks down. This has long been a problem that is going to require a very different security model in the future. But, while we still have that system, it's of absolute importance that any breach of trust needs to be dealt with severely.

Filed Under: china, fraudulent certificate, security certificates
Companies: cnnic, google, mcs holdings

Are Apple, Google, Microsoft And Mozilla Helping Governments Carry Out Man-In-The-Middle Attacks?

from the and-what-can-they-do-about-it? dept

Back in September, we reported on the Chinese authorities using man-in-the-middle attacks to spy on citizens who carry out Google searches over encrypted connections. That's done by using a fake security certificate to redirect traffic to a server where the traffic is decrypted, analyzed, and blocked if necessary. A new post on the Greatfire.org Web site points out that this approach can only work if the user's computer trusts the certificate's issuing authority, in this case the China Internet Network Information Center, and that it's curious that browsers from the West do so quite so readily:

Microsoft, Apple and Mozilla among others, trust CNNIC (China Internet Network Information Center) to protect your communications on their platforms by default, regardless of whether or not you are in China. CNNIC has implemented (and tried to mask) internet censorship, produced malware and has very bad security practices. Tech-savvy users in China have been protesting the inclusion of CNNIC as a trusted certificate authority for years. In January 2013, after Github was attacked in China, we publicly called for the the revocation of the trust certificate for CNNIC. In light of the recent spate of man-in-the-middle (MITM) attacks in China, and in an effort to protect user privacy not just in China but everywhere, we again call for revocation of CNNIC Certificate Authority.

Although the logic of revoking CNNIC as a trusted certificate authority might seem inarguable, the consequences of doing so are likely to be serious. For example, the Chinese government might decide to ban the use of any browser that did not include CNNIC. That's hard to police, but the threat alone would be enough to dissuade any software company from removing CNNIC's certificate from its browser.

Perhaps the best solution is simply making users aware of the issue, and explaining how they can remove any certificate authority they have doubts about. And not just for China: these problems can arise in any country where a local trusted certificate authority is under the direct -- or indirect -- control of the government.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Filed Under: certificate authorities, china, man in the middle attacks, security, trust
Companies: apple, cnnic, google, microsoft, mozilla