Chinese Certificate Authority CNNIC Is Dropped From Google Products

eldavojohn writes A couple weeks ago, Google contacted the CNNIC (China's CA) to alert them of a problem regarding the delegated power of issuing fraudulent certificates for domains (in fact this came to light after fraudulent certificates were issued for Google's domains). Following this, Google decided to remove the CNNIC Root and EV CA as trusted CAs in its Chrome browser and all Google products. Today, the CNNIC responded to Google: "1. The decision that Google has made is unacceptable and unintelligible to CNNIC, and meanwhile CNNIC sincerely urge that Google would take users' rights and interests into full consideration. 2. For the users that CNNIC has already issued the certificates to, we guarantee that your lawful rights and interests will not be affected." Mozilla is waiting to formulate a plan.

Good. +1 for Google.

If a CA clearly can't be trusted, then it has absolutely no business being trusted. This is a good thing, and despite the upheaval it will cause for people requiring new certs (if you want chrome to like the site), it will only improve security by making CA's aware that if they mess about, or don't vet properly, then their business is basically gone.

Of course, the only really secure way is to drop all CA's everywhere, and directly exchange certs with whoever you deal with (banks, etc, etc by going into a branch. Hugely impractical though).

Re:Good. +1 for Google.

[Dutch+Gun]

The fact that ANY root CA can issue Google domain certificate (or whatever domain they want) is bonkers. Nowadays, there are simply too many root CAs to be able to trust them all, if we ever really could. There used to be just a handful. Have you looked at your local CA store? There's hundreds of them nowadays! Did you know the Hong Kong Post Office is a root CA (Hongkong Post Root CA 1)? Doesn't that make you feel warm, fuzzy, and secure, knowing that the fine folks at that establishment could issue a fraudulent certificate for any website in the world?

This system needs to be fixed, or at least seriously updated. It just hasn't scaled well in the reality of today's world. I don't think we need to go to the extreme of exchanging private certs. Let's face it, that will never, ever happen anyhow. But we do need more assurances than we have now.

Too bad for CNNIC

Given the events that transpired, it seems like Google is completely in the right here. It would be best if Mozilla, Microsoft, et. al. followed suit.

Re:Too bad for CNNIC

[Zocalo]

It's not quite that simple. CNNIC is the Chinese national equivalent of a LIR - they are responsible for all the IP assignments in China, so they can hardly "disappear" like that. Shutting down their CA division and re-opening it as a new shell company might be an option however.

The main thing here is that this also invalidates all of the certificates issued by CNNIC's intermediaries like MCS that are decended from the soon to be invalidated root certificates, and so on all the way down the chain of trust. That's a *lot* of customers and customers of customers that are going to be looking to push at least some of the costs of sorting this out upstream. Ultimately the buck stops at CNNIC, so they are going to have to make a decision about how much of that costs they are going to bear - get it wrong and there are plenty of other root CAs that intermediate level CAs can go to instead of CNNIC.

That sends a pretty strong message to other CAs that might be considering something similar, or to governments looking to strong arm a CA into doing it on their behalf. Break the chain of trust (whether through imcompetence, negligence or deliberate intent being immaterial), and you can expect to face very public, and potentially very expensive, consequences. Given that this also has implications for everyone's privacy, absolutely Apple, Microsoft, Mozilla et. al ought to follow suit and take at least some form of punitive action. Following on from DigiNotar I'm actually expecting to see them publishing some form of formalised policies about this in the near future, and hopefully no more exceptions (like TrustWave) are going to be made.

Re:Firefox response

[Lennie]

Here is a link to the latest Mozilla statement on the mailinglist/newsgroup:
https://groups.google.com/d/ms...

Re:Lawful rights and interests?

[gstoddart]

Ever read any other press releases coming out of China?

They very often miss the point, and just fall back to "this is true because we say it is".

The "rights and interests" of users is to not be spoofed. The users in China don't have a "right" to use a google product which has been hacked, and the CNNIC doesn't have a "right" to issue fake certificates.

Some of it is swagger, but from people who are used to being able to wave their collective dicks around and have that influence reality. Now, they've come up against an entity who says "we simply don't care what you want to claim, this is what's happening".

Re:Mozilla formulating a plan?

You know you can do this yourself in Firefox and Thunderbird.

Options -> Advanced -> Certificates -> View Certificates -> Authorities -> Delete or Distrust...

Re:Firefox response

[drinkypoo]

Now that is fascinating. FTFN[ewspost]:

The current incident falls into this category:
"Problem: CA mis-issued a small number of intermediate certificates that they can enumerate

Uh, no. No, that is not the problem. The problem is that the CA has been demonstrated to use untrustworthy practices. They are fundamentally untrustworthy, and Google did the Only Right Thing(tm) while Mozilla is failing, and hard.