Google on March 23 reported that it was aware of unauthorized certificates for Google domains that had been issued by MCS Holdings, an intermediate certificate authority under CNNIC. At the time Google blocked the fraudulent certificate, but now the search giant is taking the action a step further, by blocking all CNNIC-issued certificates.
Google is not alone in its action. Mozilla is also blocking CNNIC.
Digital Death Penalty
"As a result of a joint investigation of the events surrounding this incident by Google and CNNIC, we have decided that the CNNIC root and EV CAs will no longer be recognized in Google products," Google Security Engineer Adam Langley wrote in a blog post. "This will take effect in a future Chrome update."
Blocking a CA is the digital equivalent of the death penalty, meaning that all of the CA's certificates will be treated as invalid. Langley noted that for a limited time Google will allow CNNIC’s existing certificates to continue to be marked as trusted in Chrome, through the use of a publicly disclosed whitelist.https://o1.qnsr.com/log/p.gif?;n=203;c=204660766;s=9477;x=7936;f=201812281312070;u=j;z=TIMESTAMP;a=20392931;e=i
In a similar move, Mozilla's Kathleen Wilson blogged that Mozilla would also block CNNIC certificates.
"We have concluded that CNNIC’s behavior in issuing an unconstrained intermediate certificate to a company with no documented PKI practices and with no oversight of how the private key was stored or controlled was an ‘egregious practice’ as per Mozilla’s CA Certificate Enforcement Policy," Wilson wrote.
Instead of the whitelist approach that Google has taken, Mozilla's technologies -- including the popular Firefox Web browser -- will no longer trust any certificate issued by CNNIC’s roots with a notBefore date on or after April 1, 2015.
CNNIC has lashed out at Google's move.
"The decision that Google has made is unacceptable and unintelligible to CNNIC, and meanwhile CNNIC sincerely urge that Google would take users’ rights and interests into full consideration," the company wrote in a statement.
The removal of CNNIC isn't the first time that browser vendors have moved to remove a trusted CA from the root trust. In 2011 the DigiNotar CA also was found to have issued fraudulent SSL/TLS certificates for Google. In that case DigiNotar was somehow breached by an attacker, which enabled the mis-issuance. Within several months of the breach and fraudulent SSL/TLS certificate issuance, DigiNotar went bankrupt.
Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.