Private I: Apple's Chinese market share may affect security judgment

Google apparently doesn't mind picking a fight with China. In 2010, unable to find a basis in which it could operate its services with minimal filtering or interference, and after attacks reported to originate in China against the company's internal mail and other systems, it shifted its search results from mainland China to servers in Hong Kong. Hong Kong operates under a special status, though it is part of the People's Republic. Mainland searchers had to use workarounds to perform searches via Google in Hong Kong and elsewhere.

In late 2014, China blocked retrieving Gmail via email clients using IMAP and POP3 and sending via SMTP. Webmail has been intermittently heavily disrupted. China has also stepped up its blocking of virtual private networks (VPNs) and other connections, preventing tens of millions of people in China, if not more, from accessing resources outside the country that are blocked by the Great Firewall of China. (I discussed the Great Firewall and Great Cannon, an offensive weapon, a few weeks ago.)

Google's primary source of revenue is selling advertising next to search results; its secondary sources including the sale of apps and media in Google Play, business services (like Google Apps for Work), and video advertising embedded in YouTube. It can deliver these digital services from anywhere in the world to anywhere in the world--unless blocked.

This may help explain in part the divergence in how Google and Apple responded to the high-level breach of trust by China's top domain and security authority, CNNIC, in early March. (I explain the background in "Trust and verify for network certificate roots," March 26.)

How we trust who we trust

The Internet requires trust, whether you want to believe that or not. Most traffic on the Internet still passes in the clear through data centers and within and across national boundaries. An increasing percentage is encrypted. An ever-larger part of that is protected in such a way that even the companies making the software can't peek within what's being sent and read your messages or see your photos. This has annoyed the FBI, the prime minister of the United Kingdom, and authorities in many other countries.

Much of the trust for encryption centers around a few hundred entities called certificate authorities (CA) who are delegated the trust to issue digital certificates to secure communications between client and server software, such as a web browser and a web server. These CAs are, in turn, trusted by different groups who agree to include them in a baked-in list. The primary agents of trust are Apple, Google, Mozilla, and Microsoft.

These four firms make three of the most-used commercial or certified operating systems, and the four most-used web browsers, as well as the most commonly used email software. (Opera Software is the fifth Beatle of this group, and has its strong adherents on the desktop and in mobile use.)

Google sounded the alarm March 23 about what turned out to be the egregiously bad idea of Chinese domain registrar and CA, CNNIC, to pass on authority for its root certificate--the secret encryption material used to countersign any certificate it issues--to a reseller for an ostensibly benign or limited purpose.

The reason this was a problem is that with that information, a party can create forged certificates for any domain in the world that a browser, email client, or other software would accept as perfectly valid. That's a problem--it breaks trust the world over, and imperils both privacy and safety: people saying things privately in opposition to the government whose words can suddenly be decrypted without their knowledge can be put in danger of their freedom and their lives. (Using an illegitimate but valid certificate still requires a man-in-the-middle attack, which is trivial for a government.)

Within days, Mozilla and Google had investigated, removed the reseller's intermediate authority, and kicked CNNIC out of the root list of CAs for all their products: Android (OS), Chrome, Chrome OS, Firefox, Firefox OS, and Thunderbird, to name the marquee items. Mozilla said it would keep older certificates valid given provisos that don't seem to have been met; Google said all CNNIC-signed certificates would become invalid.) Both organizations say they'd consider adding CNNIC back in, probably with additional safeguards in place. Mozilla discusses these issues publicly among its community.

Microsoft removed just the intermediate certificate and issued a tepid security note. Apple has said...nothing. CNNIC's root certificate remains in Apple's trusted set in OS X (which can be viewed in Keychain Access), and the company hasn't spoken publicly. (A query I made weeks ago received no response to date.)

Microsoft doesn't break out its Chinese or Asian says, and it's estimated to be just a few percentage points of its total revenue. But it has strived for years to increase sales there, and the future of Microsoft in versatile devices and cloud services means it has to bump sales in China.

Apple grossed nearly $17 billion in revenue from China, Hong Kong, and Taiwan in its quarterly earnings announced earlier this week. Google has taken its stance for whatever combination of commercial and political reasons. Mozilla is a nonprofit foundation that stresses transparency in its decision making.

What lies beneath

Earlier this year, the New York Timesreported on new rules in China:

The Chinese government has adopted new regulations requiring companies that sell computer equipment to Chinese banks to turn over secret source code, submit to invasive audits and build so-called back doors into hardware and software, according to a copy of the rules obtained by foreign technology companies that do billions of dollars' worth of business in China.

(The United States has allegedly attempted to insert its own back doors in equipment made by Chinese firms, notably Huawei.)

While these rules apply to the banking industry, and haven't been put into enforcement yet, pressure apparently exists across many industries for the same sorts of requirements, partly to turn purchases to Chinese firms that will have no choice but agree to the conditions.

While Apple failing to boot CNNIC and failing to discuss its reasoning for not doing so isn't a minor point when hundreds of millions of computers and devices are affected by its decision, and two other firms--one a competitor and one not really in the same business or in any real business at all--with different constraints in China acted quickly and publicly.

The importance of China to Apple's continued growth can't be understated. This is why they should be held to just as high a standard of disclosure about issues affecting security there, as they are when Tim Cook bucks the FBI and NSA.

Join the CSO newsletter!

Error: Please check your email address.

Tags Googlesecuritycertificates

More about AppleFBIGoogleHuaweiMicrosoftMozillaNSAOpera Software

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Glenn Fleishman

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts