It does not appear that Google’s frosty relationship with China will thaw anytime soon, as the search giant this week said it will reject digital certificates from the China Internet Network Information Center (CNNIC).
At issue are the digital certificates issued on the Web, which ensure that sites are secure and not ridden with malicious software that might steal your information or ruin your device. In this case, Google discovered that CNNIC, which issues certificates for the .cn domain, made a deal with a company known as MCS Holdings, which used those certificates for a man-in-the-middle proxy.
As Google explained, the move would allow the firm to “intercept secure connections by masquerading as the intended destination and are sometimes used by companies to intercept their employees’ secure traffic for monitoring or legal reasons.”
“In this case, the presumed proxy was given the full authority of a public CA [certificate authority], which is a serious breach of the CA system,” Google said last week, when the problem was first discovered.
Now, after further investigation, Google has decided to crack down on CNNIC. “We have decided that the CNNIC Root and EV CAs will no longer be recognized in Google products,” the company said on Wednesday.
As Ars Technica noted, the move could affect those trying to connect to banking or shopping sites with certificates issued by CNNIC. To give companies time to respond, “for a limited time we will allow CNNIC’s existing certificates to continue to be marked as trusted in Chrome, through the use of a publicly disclosed whitelist,” Google said.
Still, those surfing to encrypted (HTTPS) websites ending in .cn via Google’s Chrome might encounter a number of security warnings going forward, the Wall Street Journal said.
Not surprisingly, CNNIC is not happy.
“The decision that Google has made is unacceptable and unintelligible to CNNIC, and meanwhile CNNIC sincerely urge that Google would take users’ rights and interests into full consideration,” the organization said in a statement. “For the users that CNNIC has already issued the certificates to, we guarantee that your lawful rights and interests will not be affected.”
Web firms were faced with a similar problem back in 2011 when Netherlands-based DigiNotar disclosed that it had been hacked. An investigation into the effect of the intrusion found that, among other things, the hack possibly compromised the Google accounts of more than 300,000 Iranians. Google, Microsoft, Mozilla, Adobe, and Apple subsequently blocked the DigiNotar digital certificates.