Google’s Distrust of Chinese Digital Certificates

April 3, 2015

Have you ever tried to visit a site online and received an error message saying that the website you’re trying to access isn’t trusted? Well, that is about to happen more frequently thanks to the recent fall-out between Google and the China Internet Network Information Center (“CNNIC”).
Google recently announced that it will no longer trust certain digital certificates issued by the CNNIC. This decision follows a breach that occurred last week in which unauthorized credentials for Gmail and other Google domains were issued. CNNIC is an administrative Chinese organization certificate authority (“CA”), which means it functions as a trusted organization that provides verification services for digital certificates.
The certificates in question are those issued to ensure that websites are secure. CNNIC issues such certificates for the .cn domain, and delegated its authority to MCS Holdings, an Egyptian intermediary, to issue the certificates. MCS did so as a man-in-the-middle proxy rather than as a proper hardware security module (“HSM”). Google Security Engineer Adam Langley stated that such a system allows “devices to intercept secure connections by masquerading as the intended destination.” The issuance of these unauthorized certificates is a breach of rules established by CAs and browser makers, which prohibits CAs from issuing certificates for domains held by customers other than those holding the credentials.

Langley continued that “proxy was given the full authority of a public CA which is a serious breach of the CA system…CNNIC still delegated their substantial authority to an organization that was not fit to hold it.”

After further investigation, Google has decided to drop the CNNIC root certificate authority completely. This decision could affect individuals and companies trying to connect to banking or other sites with certificates issued by the CNNIC. So, to give those affected time to respond, Google is allowing CNNIC’s existing certificates to continue for a limited time.
CNNIC isn’t happy about Google’s decision. In a statement released Thursday, April 2, CNNIC refers to Google’s decision as “unacceptable and unintelligible,” while sincerely urging Google to “take user’s rights and interest into full consideration.”
Following Google’s lead, Mozilla is now planning to reject new digital certificates issued by CNNIC, but will continue to trust certificates that already exist.  After an analysis of the MCS Holdings incident, Mozilla found that CNNIC violated several policies by even issuing the certificates to MCS Holdings. For example, Mozilla requires intermediate certificates to be either technically restricted, meaning they can only be used to issue certificates for particular domain names, or unrestricted by being publicly disclosed and audited as root certificates. In this case, neither of these requirements were met.
Mozilla and Google’s plans have the same effect – their products will reject certain CNNIC certificates for specified time periods. Google will soon reject all CNNIC certificates, and Mozilla will only reject newly issued ones.