Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

RAGING Google SLAPS naughty Chinese root cert kingpins CNNIC

Certificate dodginess leads to Chrome banhammer

Google has announced it will no longer recognise the Chinese Internet Network Information Centre (CNNIC) as a Root Certificate Authority, following an investigation into unauthorised certificates issued for several Google domains.

Adam Langley, a security engineer at the Chocolate Factory, wrote that Google had become aware of unauthorised certificates issued by an intermediate certificate authority "apparently held by a company called MCS Holdings", adding that the "intermediate certificate was issued by CNNIC."

Although public-key pinning for Google sites would have prevented Chrome and Firefox 33+ browsers from accepting these certificates, as CNNIC is a root certificate authority and included in all major root stores, "the misissued certificates would be trusted by almost all browsers and operating systems."

Google claims it "promptly alerted CNNIC" about the incident, and pushed a CRLSet block of the MCS Holdings certificate into Chrome. CNNIC offered an explanation of the incident which Google does acknowledge "is congruent with the facts" – yet Mountain View states that "CNNIC still delegated their substantial authority to an organisation that was not fit to hold it."

An update to the blogpost yesterday, however, saw Google go public about the administrative agency responsible for internet affairs under the Chinese Ministry of Industry and Information.

To take effect in a future Chrome update, the blog states that "the CNNIC Root and EV CAs will no longer be recognized in Google products."

"To assist customers affected by this decision, for a limited time we will allow CNNIC’s existing certificates to continue to be marked as trusted in Chrome, through the use of a publicly disclosed whitelist." Langley qualifies.

The Chocolate Factory state that "While neither we nor CNNIC believe any further unauthorized digital certificates have been issued, nor do we believe the misissued certificates were used outside the limited scope of MCS Holdings’ test network. CNNIC will be working to prevent any future incidents."

Google's blog bullishly states: "CNNIC will implement Certificate Transparency for all of their certificates prior to any request for reinclusion. We applaud CNNIC on their proactive steps, and welcome them to reapply once suitable technical and procedural controls are in place."

In its response, CNNIC said: "The decision that Google has made is unacceptable and unintelligible to CNNIC, and meanwhile CNNIC sincerely urge that Google would take users’ rights and interests into full consideration." ®

Similar topics

TIP US OFF

Send us news


Other stories you might like