Google is blacklisting digital certificates issued by the China Internet Network Information Center (CNNIC) on Chrome following the discovery that unauthorized certificates for Google domains could be traced back to China’s main certificate authority, and manager of the .cn domain. The CNNIC had issued intermediate certificates to an Egyptian company called MCS Holdings, which installed private keys in a man-in-the-middle proxy rather than a suitable hardware security module, Google says in a blog post.
Google discovered the certificates on Mar. 20, and informed both the CNNIC and major browsers. Public-key pinning would have caused some Chrome and Firefox versions to reject the certificates, but because CNNIC is a trusted authority and included in all major root stores most browsers and operating systems would have accepted the certificate issued by MCS. Google also blocked the MCS certificate in Chrome with a CRLSet push.
CNNIC informed Google two days later that under its contract MCS would issue certificates only for domains they had registered. Google considers this an inappropriate delegation of authority.
Google compared the situation to a clash with French certificate authority ANSSI in late 2013. In that case Google limited the authority of ANSSI to certain domains in further releases of Chrome. An Indian government agency was also caught issuing fake SSL certificates last summer.
In this case, Google has decided to block both root and extended validation certificate authorities, though a “publically disclosed whitelist” will allow existing CNNIC certificates to be trusted in Chrome until a future update.
“While neither we nor CNNIC believe any further unauthorized digital certificates have been issued, nor do we believe the misissued certificates were used outside the limited scope of MCS Holdings’ test network, CNNIC will be working to prevent any future incidents,” wrote Google Security Engineer Adam Langley. “CNNIC will implement Certificate Transparency for all of their certificates prior to any request for reinclusion. We applaud CNNIC on their proactive steps, and welcome them to reapply once suitable technical and procedural controls are in place.”
For its part the CNNIC assured certificate holders that their “lawful rights and interests will not be affected.” It also said: “The decision that Google has made is unacceptable and unintelligible to CNNIC, and meanwhile CNNIC sincerely urge that Google would take users’ rights and interests into full consideration.”
Chinese online censorship monitor GreatFire.org, which suffered a sustained DDoS attack in March, has repeatedly called for the CNNIC’s trust to be revoked by Western companies which have repeatedly clashed with the Chinese government, and by Google specifically.
Mozilla is carefully considering its options, and may take a similar approach to Google, Ars Technica reports.
Trust continues to be a focus for Google. It was revealed last month that Google Apps exposed personal data due to a bug. The company says the issue with CNNIC highlights the need for certificate transparency.
Certificate Authority Trustwave admitted to issuing certificates to a private company to spy on SSL-protected connections within its own network in 2012, and had its trustworthiness questioned. Comments to Google’s blog post suggest spying is also the motivation for the unauthorized CNNIC certificates.
China blocked Google as part of a major censorship campaign ahead of the 25th Anniversary of the Tiananmen Square massacre last summer, and is accused of blocking Gmail access late in 2014.