Google’s Chrome browser will stop trusting all digital certificates issued by the China Internet Network Information Center following a major trust breach last week that led to the issuance of unauthorized credentials for Gmail and several other Google domains.
The move could have major consequences for huge numbers of Internet users as Chrome, the world’s second most widely used browser, stops recognizing all website certificates issued by CNNIC. That could leave huge numbers of users suddenly unable to connect to banks and e-commerce sites. To give affected website operators time to obtain new credentials from a different certificate authority, Google will wait an unspecified period of time before implementing the change. Once that grace period ends, Google engineers will blacklist both CNNIC’s root and extended-validation certificates in Chrome and all other Google software.
The unauthorized certificates were issued by Egypt-based MCS Holdings, an intermediate certificate authority that operated under the authority of CNNIC. MCS used the certificates in a man-in-the-middle proxy, a device that intercepts secure connections by masquerading as the intended destination. Such devices are sometimes used by companies to monitor employees’ encrypted traffic for legal or human resources reasons. It’s one of the first times a certificate authority has faced such a banishment since the downfall of Netherlands-based DigiNotar in 2011. Other CAs, including US-based Trustwave, have also done what CNNIC did without getting the boot. While worldwide Chrome is the No. 2 most used browser, it had a commanding, 52-percent share in China last year, compared to 23 percent for IE.
The move was announced on Wednesday evening in an update to last week’s blog post disclosing the misissued certificates. The update left open the possibility that CNNIC may be reinstated at an undetermined future date if the group gives a detailed accounting of all currently valid certificates. The update read:
Update – April 1: As a result of a joint investigation of the events surrounding this incident by Google and CNNIC, we have decided that the CNNIC Root and EV CAs will no longer be recognized in Google products. This will take effect in a future Chrome update. To assist customers affected by this decision, for a limited time we will allow CNNIC’s existing certificates to continue to be marked as trusted in Chrome, through the use of a publicly disclosed whitelist. While neither we nor CNNIC believe any further unauthorized digital certificates have been issued, nor do we believe the misissued certificates were used outside the limited scope of MCS Holdings’ test network, CNNIC will be working to prevent any future incidents. CNNIC will implement Certificate Transparency for all of their certificates prior to any request for reinclusion. We applaud CNNIC on their proactive steps, and welcome them to reapply once suitable technical and procedural controls are in place.
As this post was being prepared, it wasn’t clear if Mozilla or Microsoft planned to update Firefox and Internet explorer to also stop trusting CNNIC. Firefox 37, released this week, stopped trusting all certificates issued by MCS Holdings, and Microsoft has announced similar plans for Windows. Revoking trust in the root CNNIC certificate would be a much more disruptive course of action, since many more website certificates would be affected.
Update 1: In an e-mailed statement, Mozilla Cryptographic Engineering Manager Richard Barnes said: “We believe it is very important to include the Mozilla community in these discussions, so we are taking a bit longer to announce our official plan. We expect to wrap up our discussion in mozilla.dev.security.policy soon, and in the meantime you can see the plan we are currently discussing here.”
The plan under consideration would:
Reject certificates chaining to CNNIC with a notBefore date after a threshold date
Request that CNNIC provide a list of currently valid certificates and publish that list so that the community can recognize any back-dated certs
Allow CNNIC to re-apply for full inclusion, with some additional requirements (to be discussed on this list)
If CNNIC’s re-application is unsuccessful, then their root certificates will be removed
Update2: Officials with CNNIC have issued a statement that’s sharply critical of Google’s move. It reads: