On April 1st, Google issued an update on their blog stating they will no longer trust any root certificates issued by CNNIC (China Internet Network Information Center, the administrative agency responsible for Internet affairs under the Ministry of Information Industry of the People’s Republic of China). This will take effect in next Google Chrome update. In order to minimize the impact of this measure, Google will allow CNNIC’s existing certificates to continue to be marked as trusted in Chrome, through the use of a publicly disclosed whitelist.
On the same day, Mozilla also claims any certificates issued by CNNIC will no longer be trusted.
April 2nd, CNNIC protests Google Security Decision, declaring “the decision made by Google was unacceptable and unintelligible.”
Now, the question of what really happened here comes to mind. Is this merely a bias against CNNIC or did the CNNIC really do something wrong?
Let’s take a closer look at this incident.
On March 20th, Google found out that there were some intermediate certificates held by MCS Holding that were abused in a “Man-in-the-Middle” proxy which is considered one of the most dangerous activities in cybersecurity. What makes it more dangerous is the fact that those certificates were issued by the Certificate Authority CNNIC, which is trusted by all major browsers, including Internet Explorer, Firefox, Safari, and of course, Google Chrome. Google has alerted CNNIC about this incident immediately.
March 22nd, CNNIC responded to Google and explained that the private key of this particular certificate, instead of being kept in a Hardware Security Module (HSM), was installed on a man-in-the-middle proxy. In simpler terms, all communication through this proxy can be intercepted or even modified without being detected by the users. Many companies are using this method to monitor their employee for legal reasons. It isn’t a rare sight. However, as Google point out “the presumed proxy was given the full authority of a public CA, which is a serious breach of the CA system.”
March 23rd, Google posted a blog titled “Maintaining digital certificate security,” with a CRLSet push update, effectively blocking all MCS Holding certificates in Google Chrome.
March 25th, CNNIC issued a clarification about 3 key things: first, they did not issue any certificate for MITM attack. Second, the certificate issued to MCS is for MCS internal purpose only. Third, they have revoked all authorization.
On the same day (March 25th), MCS Holding also issued a statement which explains the whole series of events: “Thursday, and for the sack of unintentional action the Firewall had an active policy to act as SSL forward proxy with an automatic generation for a certificates for browsed domains on the internet, which had been taken place on a weekend time (Friday, and Saturday) during unintentional use from one of the IT Engineers for a browsing the internet using Google Chrome which had reported a miss-use at Google’s End.” (Read more). Put in a simple terms, they confirm that this is a human mistake and not related to CNNIC.
As stated at the beginning of this post, on April 1st, any root certificates issued by CNNIC are no longer trusted by Google Chrome, but “neither Google nor CNNIC believe any further unauthorized digital certificates have been issued, nor do Google believe the misissued certificates were used outside the limited scope of MCS Holdings’ test network, CNNIC will be working to prevent any future incidents. CNNIC will implement Certificate Transparency for all of their certificates prior to any request for reinclusion. Google applaud CNNIC on their proactive steps, and welcome them to reapply once suitable technical and procedural controls are in place,” reads the blog by Google.
Now it looks like CNNIC has been wronged. But if you take a look closer look at CNNIC’s troubled history, you will find out there is a deeper reason. In my next post, I will discuss what the CNNIC had done before and why it’s not playing fair.