Chinese Internet authority clashes with Google over digital certificates

Google's Chrome will no longer recognize new digital certificates issued by CNNIC

A Chinese Internet administrator blasted Google on Thursday, after the U.S. search giant decided to stop recognizing digital certificates issued by the group following a security lapse.

"The decision that Google has made is unacceptable and unintelligible," China's Internet Network Information Center (CNNIC) said in an online posting.

Google's decision means that its Chrome browser could end up clashing with sites served by the Chinese Internet agency.

On Wednesday, Google explained the move in an update to an earlier blog posting. The company is still concerned by the way CNNIC issued a certificate to an IT company based in Egypt that misused it in a botched security test.

Google and CNNIC conducted a joint investigation, but despite the effort, the U.S. company decided to drop the Chinese Internet agency as a recognized root certificate authority.

However, Google signaled that this was only a temporary measure. For a limited time, the Chrome browser will trust existing CNNIC-issued certificates.

"We applaud CNNIC on their proactive steps, and welcome them to reapply once suitable technical and procedural controls are in place," Google added.

If a standoff ensues, Google's decision has the potential to hamper the Chinese Internet agency's reach. Upon encountering new CNNIC-issued certificates, the Chrome browser will issue a warning, alerting the user to the access risks.

The digital certificates are important, because if abused, they could be deployed to conduct hacking attacks against unsuspecting users.

CNNIC administers China's Internet infrastructure, and runs the .cn domain name system. But the agency is also linked with the Chinese government, which has been accused of launching cyberattacks against U.S. companies and activist groups.

This recent dispute, however, has more to do with the potential for abuse than any actual hacking attempt.

Last month, CNNIC issued a so-called intermediate CA certificate to an Egyptian IT company called MCS Holdings for internal testing, but the company then used it for other purposes. Intermediate certificates allow their owners to issue certificates for any domain names on the Internet, so their use should be strictly controlled.

Following the incident, CNNIC revoked the certificate. MCS Holdings attributed the misuse to human error.

On Thursday, CNNIC said customers issued with existing certificates would not be affected by Google's decision. But the Internet agency could face trouble in securing new customers.

By dropping CNNIC, Google is indirectly driving more business to competing certificate authorities, said F-Secure security advisor Su Gim Goh.

"You will most likely want to purchase from someone else, so that your business won't be affected," Goh said, adding. "It's definitely an interesting move, let's see what the other browsers do."

Microsoft and Mozilla did not immediately respond for comment. Last month, Mozilla also took action and revoked the CNNIC-issued certificate misused by MCS Holdings.

Join the CSO newsletter!

Error: Please check your email address.

Tags GoogleregulationMCS HoldingssecurityAccess control and authenticationgovernmentChina's Internet Network Information Center (CNNIC)internet

More about F-SecureGoogleMicrosoftMozilla

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Michael Kan

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place