Google has announced it will no longer recognise the Chinese Internet Network Information Centre (CNNIC) as a Root Certificate Authority, following an investigation into unauthorised certificates issued for several Google domains.
Adam Langley, a security engineer at the Chocolate Factory, wrote that Google had become aware of unauthorised certificates issued by an intermediate certificate authority "apparently held by a company called MCS Holdings", adding that the "intermediate certificate was issued by CNNIC."
Although public-key pinning for Google sites would have prevented Chrome and Firefox 33+ browsers from accepting these certificates, as CNNIC is a root certificate authority and included in all major root stores, "the misissued certificates would be trusted by almost all browsers and operating systems."
Google claims it "promptly alerted CNNIC" about the incident, and pushed a CRLSet block of the MCS Holdings certificate into Chrome. CNNIC offered an explanation of the incident which Google does acknowledge "is congruent with the facts" – yet Mountain View states that "CNNIC still delegated their substantial authority to an organisation that was not fit to hold it."
An update to the blogpost yesterday, however, saw Google go public about the administrative agency responsible for internet affairs under the Chinese Ministry of Industry and Information.
To take effect in a future Chrome update, the blog states that "the CNNIC Root and EV CAs will no longer be recognized in Google products."
"To assist customers affected by this decision, for a limited time we will allow CNNIC’s existing certificates to continue to be marked as trusted in Chrome, through the use of a publicly disclosed whitelist." Langley qualifies.
The Chocolate Factory state that "While neither we nor CNNIC believe any further unauthorized digital certificates have been issued, nor do we believe the misissued certificates were used outside the limited scope of MCS Holdings’ test network. CNNIC will be working to prevent any future incidents."
Google's blog bullishly states: "CNNIC will implement Certificate Transparency for all of their certificates prior to any request for reinclusion. We applaud CNNIC on their proactive steps, and welcome them to reapply once suitable technical and procedural controls are in place."
In its response, CNNIC said: "The decision that Google has made is unacceptable and unintelligible to CNNIC, and meanwhile CNNIC sincerely urge that Google would take users’ rights and interests into full consideration." ®