HackDig : Dig high-quality web security articles for hackers

Google Drops Trust in Chinese Certificate Authority CNNIC

2015-04-02 09:35

Google has taken the unusual step of completely removing trust from Chrome for the Chinese certificate authority CNNIC in the wake of an incident in which certificates issued by the CA were misused.

Google officials announced the severe decision on Wednesday, saying that it was made after an investigation by the company and CNNIC. The decision comes a couple of weeks after Google officials discovered that a certificate issued by CNNIC to MCS Holdings, an intermediate CA, was being used in a man-in-the-middle proxy to intercept traffic to some Google domains. Google and other browser vendors had removed trust from their browsers for the misused certificate, but Google has now taken the further step of dropping CNNIC from the Chrome trust store altogether.

“As a result of a joint investigation of the events surrounding this incident by Google and CNNIC, we have decided that the CNNIC Root and EV CAs will no longer be recognized in Google products. This will take effect in a future Chrome update. To assist customers affected by this decision, for a limited time we will allow CNNIC’s existing certificates to continue to be marked as trusted in Chrome, through the use of a publicly disclosed whitelist,” Google’s Adam Langley said in an update to the company’s post Wednesday.

“While neither we nor CNNIC believe any further unauthorized digital certificates have been issued, nor do we believe the misissued certificates were used outside the limited scope of MCS Holdings’ test network, CNNIC will be working to prevent any future incidents. CNNIC will implement Certificate Transparency for all of their certificates prior to any request for reinclusion. We applaud CNNIC on their proactive steps, and welcome them to reapply once suitable technical and procedural controls are in place.”

Unsurprisingly, CNNIC officials took exception to Google’s decision, saying it was “unacceptable”.

“The decision that Google has made is unacceptable and unintelligible to CNNIC, and meanwhile CNNIC sincerely urge that Google would take users’ rights and interests into full consideration,” the company said in a message posted Thursday.

The removal of CNNIC from Chrome’s trust store will have the effect of causing all of the certificates issued by the company to be marked as untrusted by the browser. This could leave users confused about the authenticity of the sites they’re visiting if they’re unaware of the decision by Google.

One historical analog for the CNNIC incident is a similar one in 2012 involving Trustwave, which issued a certificate to a customer that was intended to be used in a DLP system. Google did not completely remove Trustwave from Chrome’s trust store after that incident.


Source: 479111/cinnc-ytirohtua-etacifitrec-esenihc-ni-tsurt-spord-elgoog/moc.tsoptaerht

Read:2892 | Comments:0 | Tags:Cryptography Government Web Security China CNNIC cryptograph

“Google Drops Trust in Chinese Certificate Authority CNNIC”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code:

Tools

Tag Cloud