Chinese Certificate Authority CNNIC Is Dropped From Google Products

eldavojohn writes A couple weeks ago, Google contacted the CNNIC (China's CA) to alert them of a problem regarding the delegated power of issuing fraudulent certificates for domains (in fact this came to light after fraudulent certificates were issued for Google's domains). Following this, Google decided to remove the CNNIC Root and EV CA as trusted CAs in its Chrome browser and all Google products. Today, the CNNIC responded to Google: "1. The decision that Google has made is unacceptable and unintelligible to CNNIC, and meanwhile CNNIC sincerely urge that Google would take users' rights and interests into full consideration. 2. For the users that CNNIC has already issued the certificates to, we guarantee that your lawful rights and interests will not be affected." Mozilla is waiting to formulate a plan.

Lotsa butthurt

[FatherDale]

"The unauthorized certificates were issued by Egypt-based MCS Holdings, an intermediate certificate authority that operated under the authority of CNNIC. MCS used the certificates in a man-in-the-middle proxy, a device that intercepts secure connections by masquerading as the intended destination" Looks like Google and CNNIC have already agreed that if CNNIC are good boys for the next few weeks they wont turn them off. Wonder how closely MCS Holdings works with the Chinese gov?

Re:Good. +1 for Google.

[Dutch+Gun]

The fact that ANY root CA can issue Google domain certificate (or whatever domain they want) is bonkers. Nowadays, there are simply too many root CAs to be able to trust them all, if we ever really could. There used to be just a handful. Have you looked at your local CA store? There's hundreds of them nowadays! Did you know the Hong Kong Post Office is a root CA (Hongkong Post Root CA 1)? Doesn't that make you feel warm, fuzzy, and secure, knowing that the fine folks at that establishment could issue a fraudulent certificate for any website in the world?

This system needs to be fixed, or at least seriously updated. It just hasn't scaled well in the reality of today's world. I don't think we need to go to the extreme of exchanging private certs. Let's face it, that will never, ever happen anyhow. But we do need more assurances than we have now.

Re:Good. +1 for Google.

[rtkluttz]

The whole idea of a 3rd party in a secure communication is ludicrous anyway. Stop the stupid ass warning for self signed certs and let secure communications between the two parties it concerns. Yes it requires that each of the 2 sides know a little bit about what is going on to verify the cert, but there simply is no such thing as a security when a 3rd party is involved whether its the Chinese, the NSA, or the CA themselves.

Re:Too bad for CNNIC

[Zocalo]

It's not quite that simple. CNNIC is the Chinese national equivalent of a LIR - they are responsible for all the IP assignments in China, so they can hardly "disappear" like that. Shutting down their CA division and re-opening it as a new shell company might be an option however.

The main thing here is that this also invalidates all of the certificates issued by CNNIC's intermediaries like MCS that are decended from the soon to be invalidated root certificates, and so on all the way down the chain of trust. That's a *lot* of customers and customers of customers that are going to be looking to push at least some of the costs of sorting this out upstream. Ultimately the buck stops at CNNIC, so they are going to have to make a decision about how much of that costs they are going to bear - get it wrong and there are plenty of other root CAs that intermediate level CAs can go to instead of CNNIC.

That sends a pretty strong message to other CAs that might be considering something similar, or to governments looking to strong arm a CA into doing it on their behalf. Break the chain of trust (whether through imcompetence, negligence or deliberate intent being immaterial), and you can expect to face very public, and potentially very expensive, consequences. Given that this also has implications for everyone's privacy, absolutely Apple, Microsoft, Mozilla et. al ought to follow suit and take at least some form of punitive action. Following on from DigiNotar I'm actually expecting to see them publishing some form of formalised policies about this in the near future, and hopefully no more exceptions (like TrustWave) are going to be made.

Re:Too bad for CNNIC

[Zocalo]

That's the big question, isn't it? Like CNNIC, the Turkish DigiNotar got the boot also, yet the US-based TrustWave was let off. It's probably worth pointing out that TrustWave's problems occurred pre-Snowden so people were a little more complacent even before you consider the "local US company" vs. "country with poor reputation for civil rights" issues. I'd like to hope that in today's climate TrustWave would meet a similar fate to DigiNotar and CNNIC/MCS, but without a clear no-exceptions policy from the application and OS vendors there's no real way to be sure. Even if there were such a policy, I doubt anyone would be willing to unilaterally revoke a compromised root certificate from one of the *really* major players in the CA game without a mutually agreed grace period to migrate users to replacement certificates.