Slashdot Mirror


Chinese Certificate Authority CNNIC Is Dropped From Google Products

eldavojohn writes A couple weeks ago, Google contacted the CNNIC (China's CA) to alert them of a problem regarding the delegated power of issuing fraudulent certificates for domains (in fact this came to light after fraudulent certificates were issued for Google's domains). Following this, Google decided to remove the CNNIC Root and EV CA as trusted CAs in its Chrome browser and all Google products. Today, the CNNIC responded to Google: "1. The decision that Google has made is unacceptable and unintelligible to CNNIC, and meanwhile CNNIC sincerely urge that Google would take users' rights and interests into full consideration. 2. For the users that CNNIC has already issued the certificates to, we guarantee that your lawful rights and interests will not be affected." Mozilla is waiting to formulate a plan.

4 of 176 comments (clear)

  1. Good. +1 for Google. by Anonymous Coward · · Score: 5, Insightful

    If a CA clearly can't be trusted, then it has absolutely no business being trusted. This is a good thing, and despite the upheaval it will cause for people requiring new certs (if you want chrome to like the site), it will only improve security by making CA's aware that if they mess about, or don't vet properly, then their business is basically gone.

    Of course, the only really secure way is to drop all CA's everywhere, and directly exchange certs with whoever you deal with (banks, etc, etc by going into a branch. Hugely impractical though).

  2. Too bad for CNNIC by Anonymous Coward · · Score: 5, Insightful

    Given the events that transpired, it seems like Google is completely in the right here. It would be best if Mozilla, Microsoft, et. al. followed suit.

  3. Re:Lawful rights and interests? by gstoddart · · Score: 5, Insightful

    Ever read any other press releases coming out of China?

    They very often miss the point, and just fall back to "this is true because we say it is".

    The "rights and interests" of users is to not be spoofed. The users in China don't have a "right" to use a google product which has been hacked, and the CNNIC doesn't have a "right" to issue fake certificates.

    Some of it is swagger, but from people who are used to being able to wave their collective dicks around and have that influence reality. Now, they've come up against an entity who says "we simply don't care what you want to claim, this is what's happening".

    --
    Lost at C:>. Found at C.
  4. Re:Firefox response by drinkypoo · · Score: 5, Insightful

    Now that is fascinating. FTFN[ewspost]:

    The current incident falls into this category:
    "Problem: CA mis-issued a small number of intermediate certificates that they can enumerate

    Uh, no. No, that is not the problem. The problem is that the CA has been demonstrated to use untrustworthy practices. They are fundamentally untrustworthy, and Google did the Only Right Thing(tm) while Mozilla is failing, and hard.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"