A recent alarm over a mis-issued digital certificate for several Google domains has resulted in Google blacklisting China's main certificate authority.
Google is blacklisting all digital certificates from the China Internet Network Information Center (CNNIC), the organisation that manages the .cn domain and a widely trusted root certificate authority.
Google, Mozilla, and Microsoft last week responded to a mis-issued digital certificate from an Egyptian company called MCS Holdings, which could have allowed an attacker to impersonate a Google site and intercept traffic to and from it.
While the error was MCS Holdings', Google blamed CNNIC for delegating "substantial authority to an organization that was not fit to hold it".
CNNIC had issued an intermediate certificate to MCS on the understanding that the Egyptian company would only use the certificates for its own domains. However, the company used the certificates for *. google.com, *.google.com.eg, *.g.doubleclick.net, *.gstatic.com, www.google.com, www.gmail.com, and *.googleapis.com.
In an update to the original blog where Google disclosed the bogus certificate, the company yesterday said that, as a result of a joint investigation by it and CNNIC, "we have decided that the CNNIC Root and EV CAs [extended validation certificate authorities] will no longer be recognized in Google products".
The search company will exercise the decision through a future update to Chrome.
"To assist customers affected by this decision, for a limited time we will allow CNNIC's existing certificates to continue to be marked as trusted in Chrome, through the use of a publicly disclosed whitelist," Google said.
"While neither we nor CNNIC believe any further unauthorized digital certificates have been issued, nor do we believe the mis-issued certificates were used outside the limited scope of MCS Holdings' test network, CNNIC will be working to prevent any future incidents. CNNIC will implement Certificate Transparency for all of their certificates prior to any request for reinclusion. We applaud CNNIC on their proactive steps, and welcome them to reapply once suitable technical and procedural controls are in place."
In other words, the ban appears to be conditional on CNNIC making changes to its certificate handling processes. Despite the conciliatory tone of Google's message, CNNIC has been taken aback by the move.
"The decision that Google has made is unacceptable and unintelligible to CNNIC, and meanwhile CNNIC sincerely urge that Google would take users' rights and interests into full consideration," CNNIC said in a statement on Thursday.
"For the users that CNNIC has already issued the certificates to, we guarantee that your lawful rights and interests will not be affected," it added.
Mozilla cryptographic engineering manager Richard Barnes told Ars Technica that it is yet to determine what action to take with Firefox, however a current proposal would put CNNIC on notice.
Barnes' proposal includes:
- Do not remove the CNNIC root, but
- Reject certificates chaining to CNNIC with a notBefore date after a threshold date*.*
- Request that CNNIC provide a list of currently valid certificates, and publish that list so that the community can recognize any back-dated certs
- Allow CNNIC to re-apply for full inclusion, with some additional requirements (to be discussed on this list)
- If CNNIC's re-application is unsuccessful, then their root certificates will be removed
The Egyptian certificate incident is not the only issue where CNNIC's role as a root CA has been called into question. GreatFire, a group that monitors online censorship in China, has repeatedly called for Apple, Microsoft and Google to revoke trust for CNNIC's certificates.
The group claims that CNNIC has been complicit in a number of man-in-the-middle attacks within China against Apple, Google, Yahoo, and Microsoft services. It's stepped up its calls following the recent block in China on Gmail.
Read more on this story