Google won’t recognize CNNIC issued internet security certificates
Tech giant Google has announced that its web browser Chrome and other products will no longer recognize security certificates issued by the China Internet Network Information Center (CNNIC).
Announcement by the search giant follows a major trust breach last week that resulted in the issuance of unauthorized credentials for Gmail and several other Google domains.
The Chinese government body CNNIC, which administers security certificates for the .cn country code, as well as Chinese-language domain names, reportedly delegated its authority to Egyptian intermediary MCS Holdings to issue the certificates in question and the company installed it in a man-in-the-middle proxy internally.
The announcement will mean that Chrome users heading to alleged websites with unauthorized certificates could get a warning message or be unable to access the site. It is not known how many sites have certificates from CNNIC.
“While neither we nor CNNIC believe any further unauthorised digital certificates have been issued, nor do we believe the misissued certificates were used outside the limited scope of MCS Holdings’ test network, CNNIC will be working to prevent any future incidents,” Google said on its official security blog on Wednesday.
The search giant added that CNNIC was welcome to reapply for recognition “once suitable technical and procedural controls are in place,” and CNNIC’s existing certificates would be trusted for a limited time through a whitelist.
“To assist customers affected by this decision, for a limited time we will allow CNNIC’s existing certificates to continue to be marked as trusted in Chrome, through the use of a publicly disclosed whitelist,” the company said.
Microsoft and Mozilla, owner of the popular Firefox web browser, also announced they were revoking trust in all MCS certificates.
In response, the Chinese internet regulator, on Thursday, slammed Google for its “unacceptable and unintelligible” decision to no longer recognise its certificates of trust.
It urged Google to “take users’ rights and interests into full consideration.”
The regulator straightly denied being involved in the security breach in any manner, saying the Egypt-based MCS Holdings is responsible for issuing the faulty certificates.