Google disqualifies Chinese internet security certificates after trust breach

Since there are no reports of abuse, Google is not recommending people to change passwords or take other action.

Since there are no reports of abuse, Google is not recommending people to change passwords or take other action.

Google announced on its official security blog on Wednesday that it will not recognise security certificates issued by the official China Internet Network Information Centre (CNNIC) anymore, following a major breach of trust.

Last month, China’s Website Certificate Authority issued valid security certificates for a number of domains, including Gmail and several other Google domains without their permission resulting in a potential security lapse. The unauthorized certificates were issued by an intermediate certificate authority, the Egypt-based MCS Holdings that operated under the authority of CNNIC.

These certificates, which are stored by the server hosting the website and read by many web browsers, are meant to safeguard Internet users from scams and identity theft, also known as phishing.

The ban means that users of Google’s Chrome will likely be flagged with warnings when attempting to visit sites certified by CNNIC. Moreover, other websites operating a particular Chinese identity may also be affected considering that their security certificates won’t be accepted by Chrome browsers anymore. It is still not clear as to how many websites CNNIC has certified and could yield warning messages.

Google said that CNNIC is included in all major root stores and so the unauthorized certificates would be trusted by almost all browsers and operating systems. Chrome on Windows, OS X, and Linux, ChromeOS, and Firefox 33 and greater would have declined these certificates because of public-key pinning, although unauthorized certificates for other sites still exist.

Goole further said that it had immediately notified CNNIC and other major browsers about the breach and blocked the MCS Holdings certificate in Chrome with a CRLSet push.

CNNIC said that they entered into an agreement with MCS Holdings on the basis that MCS would only issue certificates for domains that they had registered. It said in a statement on its website that Google’s decision to ban the certificates was hard to understand and accept and appealed Google to fully consider the rights of users. CNNIC also assured that its existing users wouldn’t be affected.

Google further stated that CNNIC could apply for its certificates to be accepted again after revamping its verification process. And sites already holding CNNIC certificates will still be marked as trusted in Chrome for a limited period time Google said, without further explanations.

Google Chrome users are not required to take any action to be safeguarded by the CRLSet updates. Since there are no reports of abuse, Google is not recommending people to change passwords or take other action.

Avatar
Anna Domanska
Anna Domanska is an Industry Leaders Magazine author possessing wide-range of knowledge for Business News. She is an avid reader and writer of Business and CEO Magazines and a rigorous follower of Business Leaders.

Recent Posts

Hyundai commits $7.4 billion in US investment by 2025

Hyundai commits $7.4 billion in US investment by 2025

South Korea’s Hyundai Motor Co., announced on Thursday it will soon start manufacturing electric vehicles in the United States. The automaker plans to produce EVs, upgrade produc
2 days ago
US inflation report of 4.2 percent raises concerns

US inflation report of 4.2 percent raises concerns

The US reported the highest inflation recorded in the last dozen years at 4.2 percent in April, riding on government stimulus packages, improved energy prices, better spending and
2 days ago
Aon – Willis asset disposal aims to ease approval of $30 billion merger

Aon – Willis asset disposal aims to ease approval of $30 billion merger

Aon Plc and Willis Towers Watson have agreed to sell $3.6 billion worth of assets to rival Arthur J. Gallagher & Co. in a bid to appease European competition regulators over th
3 days ago
Roblox declares Q1, reports $387 million revenue as bookings increase

Roblox declares Q1, reports $387 million revenue as bookings increase

Roblox, the hugely popular online gaming platform, reported its first-quarter earnings after becoming a listed company. Its revenue more than doubled as the videogame company benef
4 days ago
Weak US job report results in volatile market

Weak US job report results in volatile market

A weak job report resulted in a record close on Friday for the US stocks. The US labor department’s monthly non-farm payrolls report revealed employers hired 266,000 new workers
5 days ago
Star and Blackstone launch bids to buyout Australia’s Crown Resorts

Star and Blackstone launch bids to buyout Australia’s Crown Resorts

A bidding war has broken out between Australian casino company Star Entertainment Group and US private equity investor Blackstone Group over Crown Resorts, Australia’s bigges
5 days ago