BEIJING: Mozilla and Google’s security engineers wrote a post about an intermediate certificate authority (CA) called MCS Holdings that issued some unauthorized digital certificates for Google’s domains. The intermediate certificate for MCS Holdings was issued by CNNIC, China’s main root certificate authority. Google believes CNNIC is also responsible for that forged certificate and has decided to remove it from Chrome.
Google’s Chrome and Mozilla’s Firefox are some of the world’s most widely used browsers, and the moves could disrupt users accessing a broad range of Chinese web sites.
As a result of Mozilla’s step, users of Firefox may get a warning when attempting to visit sites certified after April 1 by the China Internet Network Information Center, the body that administers China’s Internet by allocating and certifying IP addresses and web domain names.
CNNIC issued a statement on Thursday calling Google’s move “unacceptable and unintelligible” and asked the web giant to consider its users’ interests.
Zhang Jing, a representative of CNNIC’s media relations department, could not immediately provide comment about Mozilla’s move when reached late Friday.
Mozilla and Google have both objected to CNNIC delegating its authority to issue certificates to an Egyptian company called MCS Holdings, which mishandled the matter last week.
MCS Holdings attributed a security lapse that took place on a test network to human error.
Internet authorities around the world issue certificates of trust to websites to verify their authenticity when visited by a web browser. Hackers could in theory impersonate unverified websites and intercept data using a “man-in-the-middle” attack.
Google and Mozilla have said they would allow CNNIC to reapply so its certificates could be recognized again.
Chrome is the world’s most popular desktop and tablet browser, with nearly 50% share, while Microsoft Corp’s Internet Explorer has nearly 18% compared to Firefox at 16.9%, according Statcounter.
