Google says it will no longer trust digital certs issued by CNNIC
Google made the decision after investigating a security incident in which digital certs were "misissued."
Google has decided that it will no longer trust digital certificates issued by the China Internet Network Information Center (CNNIC), a central certificate authority for the country.
Last week, the tech giant learned that unauthorized certs for Google domains had been issued by Mideast Communication Systems (MCS), an intermediate certificate authority (CA) that was ultimately vetted by CNNIC. And, after investigating the incident further and blocking the MCS certificate in Chrome – Google announced Wednesday that, moving forward, it would blacklist all certs issued by CNNIC, which operates the registry for China's country-code top-level domains (sites ending in “.cn”).
That day, Google Security Engineer Adam Langley wrote on the company's security blog that the change would take effect in a future Chrome update. Afterwards, users can expect to see warnings that a website's security certificate is not trusted, if the cert is issued by CNNIC.
Langley added that, to help affected customers during the transition, Google will for a limited time “allow CNNIC's existing certificates to continue to be marked as trusted in Chrome, through the use of a publicly disclosed whitelist.” In his blog post, Langley said that Google commends CNNIC for its measures to address the MCS incident, and that the certificate authority is encouraged to apply for reinclusion upon implementing practices suggested through Google's Certificate Transparency project.
“While neither we nor CNNIC believe any further unauthorized digital certificates have been issued, nor do we believe the misissued certificates were used outside the limited scope of MCS Holdings' test network, CNNIC will be working to prevent any future incidents,” Langley assured users.
In response to the move, CNNIC issued a statement on Thursday saying that Google's decision was “unacceptable and unintelligible” to the certificate authority, and it “sincerely urge[s] that Google would take users' rights and interests into full consideration.”
"For the users that CNNIC has already issued the certificates to, we guarantee that your lawful rights and interests will not be affected," the authority said.