This news will make owners of thousands of Chinese websites nervous. As per the recent blog post on the Google Security blog, Google Chrome may blacklist thousands of Chinese websites due to the unauthorized digital certificates provided to them for several Google domains. The report says that the certificates were issued by an intermediate certificate authority apparently held by a company called MCS Holdings, while the intermediate certificate was issued by China Internet Network Information Center or CNNIC.
Why Google Chrome decided to blacklist some Chinese websites
Adam Langley, Security Engineer at Google mentions in the blog posted on Google Online Security Blog that on March 20th their team found out that unauthorized digital certificates were being issued for several Google domains. He mentions the danger induced due to these unauthorized certificates,
“CNNIC is included in all major root stores and so the misissued certificates would be trusted by almost all browsers and operating systems. Google Chrome on Windows, OS X, and Linux, ChromeOS, and Firefox 33 and greater would have rejected these certificates because of public-key pinning, although misissued certificates for other sites likely exist.”
Adam further mentions that Google has already alerted CNNIC, as well as other browsers about the incidence. At the same time, as a precautionary measure, MCS Holding Certificate in Google Chrome has been blocked.
In response to this action by Google Chrome, CNNIC responded on the March 22nd. Adam mentions the response in his blog,
“…they had contracted with MCS Holdings on the basis that MCS would only issue certificates for domains that they had registered. However, rather than keeping the private key in a suitable HSM, MCS installed it in a man-in-the-middle proxy. These devices intercept secure connections by masquerading as the intended destination and are sometimes used by companies to intercept their employees’ secure traffic for monitoring or legal reasons. The employees’ computers normally have to be configured to trust a proxy for it to be able to do this. However, in this case, the presumed proxy was given the full authority of a public CA, which is a serious breach of the CA system. This situation is similar to a failure by ANSSI in 2013.”
On April 2nd, CNNIC published a declaration mentioning that the decision made by Google is “unacceptable and unintelligible to CNNIC”. They also further mentioned in the declaration that the rights and interests of the users to whom CNNIC has already issued the certificates will be protected by CNNIC.