Google announced on its official security blog on Wednesday that it will not recognise security certificates issued by the official China Internet Network Information Centre (CNNIC) anymore, following a major breach of trust.
Last month, China’s Website Certificate Authority issued valid security certificates for a number of domains, including Gmail and several other Google domains without their permission resulting in a potential security lapse. The unauthorized certificates were issued by an intermediate certificate authority, the Egypt-based MCS Holdings that operated under the authority of CNNIC.
These certificates, which are stored by the server hosting the website and read by many web browsers, are meant to safeguard Internet users from scams and identity theft, also known as phishing.
The ban means that users of Google's Chrome will likely be flagged with warnings when attempting to visit sites certified by CNNIC. Moreover, other websites operating a particular Chinese identity may also be affected considering that their security certificates won’t be accepted by Chrome browsers anymore. It is still not clear as to how many websites CNNIC has certified and could yield warning messages.
Google said that CNNIC is included in all major root stores and so the unauthorized certificates would be trusted by almost all browsers and operating systems. Chrome on Windows, OS X, and Linux, ChromeOS, and Firefox 33 and greater would have declined these certificates because of public-key pinning, although unauthorized certificates for other sites still exist.
Goole further said that it had immediately notified CNNIC and other major browsers about the breach and blocked the MCS Holdings certificate in Chrome with a CRLSet push.
CNNIC said that they entered into an agreement with MCS Holdings on the basis that MCS would only issue certificates for domains that they had registered. It said in a statement on its website that Google’s decision to ban the certificates was hard to understand and accept and appealed Google to fully consider the rights of users. CNNIC also assured that its existing users wouldn't be affected.
Google further stated that CNNIC could apply for its certificates to be accepted again after revamping its verification process. And sites already holding CNNIC certificates will still be marked as trusted in Chrome for a limited period time Google said, without further explanations.
Google Chrome users are not required to take any action to be safeguarded by the CRLSet updates. Since there are no reports of abuse, Google is not recommending people to change passwords or take other action.