14 DAY TRIAL // In a future, unspecified update for Chrome and all other Google products, digital certificates issued by root certificate authority (CA) China Internet Network Information Center (CNNIC) will no longer be trusted.
Google’s decision follows a joint investigation carried out by the two organizations into last week’s incident, when it was discovered that CNNIC awarded intermediate CA powers to MCS Holdings, a company based in Egypt, which issued certificates for several Google domains without being authorized to do so.
Great power demands increased openness
The intermediate certificates issued by CNNIC were for testing purposes, with a limited validity period of two weeks. They were scheduled to expire on April 3, and the agreement was that MCS Holdings would issue certificates only for the domains it owned.
There is no evidence that MCS Holdings used the certificates for other purposes than tests on its internal network, or that it created certs for other domains.
However, the problem with CNNIC is a lack of transparency in issuing digital certificates for various entities. As a root CA, the Chinese organization represents the highest level of trust in domain validation and encrypted communication between clients and servers.
As such, any misstep from the company can have significant consequences for Internet users, as fraudulently issued certs could be used by malicious actors to impersonate legitimate websites and for decrypting secure traffic in man-in-the-middle attacks.
Ripple effect
Google removing the trust in all certificates released by this root CA can have a major impact on the web, as many services rely on validation from CNNIC. The effect is that these services are no longer trusted by Chrome and other Google products.
Some steps are taken to reduce this effect, however. “To assist customers affected by this decision, for a limited time we will allow CNNIC’s existing certificates to continue to be marked as trusted in Chrome, through the use of a publicly disclosed whitelist,” an update from Google reads.
CNNIC can become trustworthy again
The decision is not permanent, and the CA can regain Google’s trust by implementing the standards of Certificate Transparency, an open and public framework, for all their certificates.
This means that the company should agree to have its certificates logged, monitored and audited, which would help detect fraudulent certificates.
Mozilla is currently considering a more lenient measure than removing CNNIC’s certificates from its store.
The intended course of action is to reject certificates chaining to CNNIC with a “not-before” date parameter, with a specific threshold being set. The CA would also have to provide “a list of currently valid certificates, and publish that list so that the community can recognize any back-dated certs,” says Richard Barnes, member of Mozilla’s Internet Engineering Task Force.
If some additional requirements, which have yet to be defined, are respected, CNNIC will be allowed in Mozilla’s certificate store again.
[UPDATE]: CNNIC has responded to Google's action with the following statement:
“1. The decision that Google has made is unacceptable and unintelligible to CNNIC, and meanwhile CNNIC sincerely urge that Google would take users’ rights and interests into full consideration.
2. For the users that CNNIC has already issued the certificates to, we guarantee that your lawful rights and interests will not be affected.”