LONDON: Google has announced that its web browser Chrome and other products will no longer recognize security certificates issued by the China Internet Network Information Center (CNNIC).
This is significant because CNNIC administers security certificates for the .cn country code, as well as Chinese-language domain names, which are open to businesses registered within China.
Unless one of those sites is on a white list of legitimate domains CNNIC provides to Google, Chrome users will see a pop-up warning them about its security (though they can chose to ignore it and proceed to the site).
The ban comes two weeks after Google noticed unauthorized digital certificates for several Google domains that were issued through MCS Holdings, an intermediate certificate authority contracted by the CNNIC.
The CNNIC explained to Google that instead of keeping the security certificate’s private key safely tucked away in a proper hardware security module, MCS Holdings installed it in a man-in-the-middle proxy, leaving it extremely vulnerable to interception.
“This explanation is congruent with the facts. However, CNNIC still delegated their substantial authority to an organization that was not fit to hold it,” Google said in its first post about the issue, which was published on March 23 on its Online Security Blog.
In a new update to the same post, Google announced that its products will no longer recognize the CNNIC’s security certificates.
The change will be seen in a future Chrome update, though the company will give legitimate domains certified by the CNNIC a grace period: “To assist customers affected by this decision, for a limited time we will allow CNNIC’s existing certificates to continue to be marked as trusted in Chrome, through the use of a publicly disclosed whitelist.”
This includes websites operated by the Chinese government.
Google added that “we applaud CNNIC on their proactive steps, and welcome them to reapply once suitable technical and procedural controls are in place.”
