Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Compliance

Google to Revoke Trust in CNNIC Certificates

Following the incident in which an Egypt-based company issued unauthorized digital certificates for several Google domains using an intermediate certificate from the China Internet Network Information Center (CNNIC), the search giant has decided to revoke trust in CNNIC certificates.

Following the incident in which an Egypt-based company issued unauthorized digital certificates for several Google domains using an intermediate certificate from the China Internet Network Information Center (CNNIC), the search giant has decided to revoke trust in CNNIC certificates.

The change will take effect in a future Chrome release, Google noted on Wednesday in an update made to its initial blog post on the matter.

“As a result of a joint investigation of the events surrounding this incident by Google and CNNIC, we have decided that the CNNIC Root and EV CAs will no longer be recognized in Google products,” said Google security engineer Adam Langley. “To assist customers affected by this decision, for a limited time we will allow CNNIC’s existing certificates to continue to be marked as trusted in Chrome, through the use of a publicly disclosed whitelist.”

The incident came to light last week, when Google revealed that several unauthorized certificates had been issued by Egypt-based MCS Holdings and installed on an internal firewall device that acted as a man-in-the-middle (MitM) proxy.

CNNIC revoked the intermediate certificate used by MCS Holdings and pointed out that the Egyptian firm should have used it to issue only certificates for domains it had registered.

CNNIC’s certificates are included in all major root stores and Google believes this was a “serious breach of the CA system.” After being alerted by Google, both Mozilla and Microsoft took steps to protect Firefox and Internet Explorer users.

Langley said that while there is no evidence to suggest that other fake certificates have been issued or that the ones from MCS Holdings were used outside of the company’s own network, CNNIC will have to take measures before it can earn Google’s trust again.

“CNNIC will implement Certificate Transparency for all of their certificates prior to any request for reinclusion. We applaud CNNIC on their proactive steps, and welcome them to reapply once suitable technical and procedural controls are in place,” Langley said.

In a brief statement issued on Thursday, CNNIC urged Google to reconsider its decision.

“The decision that Google has made is unacceptable and unintelligible to CNNIC, and meanwhile CNNIC sincerely urge that Google would take users’ rights and interests into full consideration,” CNNIC stated. “For the users that CNNIC has already issued the certificates to, we guarantee that your lawful rights and interests will not be affected.”

Mozilla could also take action against CNNIC, but the company is still discussing options with members of its community.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Audits

Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Compliance

The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Software maker Adobe on Tuesday released security patches for 29 documented vulnerabilities across multiple enterprise-facing products and warned that hackers could exploit these bugs...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...