Google Bans China’s Website Certificate Authority After Security Breach

Google has announced that its web browser Chrome and other products will no longer recognize security certificates issued by the China Internet Network Information Center (CNNIC), the government agency that oversees China’s domain name registry.

This is significant because CNNIC administers security certificates for the .cn country code, as well as Chinese-language domain names, which are open to businesses registered within China.

Unless one of those sites is on a whitelist of legitimate domains CNNIC provides to Google, Chrome users will see a pop-up warning them about its security (though they can choose to ignore it and proceed to the site).

The ban comes two weeks after Google noticed unauthorized digital certificates for several Google domains that were issued through MCS Holdings, an intermediate certificate authority contracted by the CNNIC.

The CNNIC explained to Google that instead of keeping the security certificate’s private key safely tucked away in a proper hardware security module, MCS Holdings installed it in a man-in-the-middle proxy, leaving it extremely vulnerable to interception.

“This explanation is congruent with the facts. However, CNNIC still delegated their substantial authority to an organization that was not fit to hold it,” Google said in its first post about the issue, which was published on March 23 on its Online Security Blog.

(MCS Holdings, which is based in Egypt, maintains the mishandling of the private key was due to human error and an accident.)

In a new update to the same post, Google announced that its products will no longer recognize the CNNIC’s security certificates.

The change will be seen in a future Chrome update, though the company will give legitimate domains certified by the CNNIC a grace period: “To assist customers affected by this decision, for a limited time we will allow CNNIC’s existing certificates to continue to be marked as trusted in Chrome, through the use of a publicly disclosed whitelist.”

This includes websites operated by the Chinese government.

Google added that “we applaud CNNIC on their proactive steps, and welcome them to reapply once suitable technical and procedural controls are in place.”

This did not placate the Chinese agency, however, which has issued a statement on its website declaring that “the decision that Google has made is unacceptable and unintelligible to CNNIC, and meanwhile CNNIC sincerely urge that Google would take users’ rights and interests into full consideration.”

It added “for the users that CNNIC has already issued the certificates to, we guarantee that your lawful rights and interests will not be affected.”

Google’s decision to suspend the CNNIC is relatively unusual. Ars Technica notes that this is one of the first times a certificate authority has been punished in a similar manner since the Netherlands-based DigiNotar’s root certificates were removed by Mozilla in 2011 after a security breach.

Google’s reaction makes sense, however, because the CNNIC plays a pivotal role in public key infrastructure, which protects website security and users around the world. By farming work out to a third-party security authority, CNNIC let go of a crucial layer of control, which allowed the unauthorized certificates to show up.

As Tom Lowenthal writes on the Committee to Protect Journalists blog

Even one rogue CA can issue false credentials to devastating effect. False credentials allow for what is called man-in-the-middle (MiM) attack. With a false credential in hand, an attacker can impersonate whoever the certificate was issued for—like a passport that shows your name but someone else’s face.