Google and Mozilla have just announced that they will blacklist digital certificates from the China Internet Network Information Center, the country’s main Internet agency.
CNNIC oversees China’s Internet infrastructure. This means that Google Chrome and Mozilla Firefox will soon stop accepting certificates from most websites with the .cn domain. With the ban, Chrome and Firefox users will receive a pop-up that alerts them to possible security risks.
The move comes about two weeks after a security breach that involved unauthorized digital certificates for Google domains such as Gmail. On March 20, Google found that MCS Holdings, an Egyptian IT company, misused certificates. MCS Holdings obtained its intermediate certificate from CNNIC.
Google said that MCS used the certificates for a man-in-middle proxy. According to CNNIC, they had agreed to issue a certificate to MCS with the condition that the company would only issue certificates for the domains they have registered. MCS instead intercepted connections by pretending to be the intended destination for users. Google called the incident “a serious breach” because all major browsers and operating systems recognized CNNIC certificates.
“This explanation is congruent with the facts. However, CNNIC still delegated their substantial authority to an organization that was not fit to hold it,” said Adam Langley, a security engineer at Google.
To help users adjust to the changes, Google has provided a grace period. The company said that it will recognize CNNIC’s existing certificates for a “limited time.” This exemption will only be extended to websites that are included in Google’s “whitelist.”
CNNIC, which conducted an investigation of its own after the breach, criticized Google’s move. “The decision that Google has made is unacceptable and unintelligible to CNNIC, and meanwhile CNNIC sincerely urge that Google would take users’ rights and interests into full consideration,” the agency wrote in its website.
In spite of the ban, Google has indicated that it would be willing to reinstate CNNIC at a later time. “While neither we nor CNNIC believe any further unauthorized digital certificates have been issued, nor do we believe the misissued certificates were used outside the limited scope of MCS Holdings’ test network, CNNIC will be working to prevent any future incidents,” Google wrote. “We applaud CNNIC on their proactive steps, and welcome them to reapply once suitable technical and procedural controls are in place.”