Google announced today that it is planning to block digital certificates issued by the China Internet Network Information Center (CINNIC) and Egypt-based MCS Holdings, an intermediate certificate authority operated under the authority of CINNIC.
The blowup occurred when Google discovered that MCS had issued unauthorized digital certificates to itself pretending to be from Gmail and other Google domains.
The unauthorized certificates could have been used to trick browsers into believing they were connected to Gmail when in fact they were connected to MCS servers. Unauthorized certificates can be used for ‘man-in-the-middle’ attacks by intercepting Internet traffic before routing the communication to the real site.
Google says that it doesn’t believe the certificates were actually used for this purpose but nevertheless they intend to take action by blocking any certificate issued by MCS in their Chrome browser. Google also stated in a blog post that until the CINNIC takes steps to insure that this type of thing doesn’t happen again they will also block any sites using certificates issued by CINNIC or any of their intermediate certificate issuing affiliates.
China, not surprisingly, is taking offence by the whole thing stating; “The decision that Google has made is unacceptable and unintelligible to CNNIC, and meanwhile CNNIC sincerely urge that Google would take users’ rights and interests into full consideration.”
Google said that they will allow a grace period of unspecified length before the blocking will take effect and they are working with the CNNIC to rectify the situation. Google did imply that the CNNIC might have to go back and recertify all sites that were issued certificates by CNNIC or one of their partner companies – a move that could take considerable time and energy.
While Mozilla’s Firefox 37, released this week is also blocking MCS certificates and Microsoft has announced similar plans for Windows browsers, it’s not clear if they will extend that ban all the way back to CNNIC.
It should be pointed out that even when a site’s certificate is blocked by Chrome it doesn’t mean users will be unable to access that site, it just means that users will be shown a popup warning stating that the site’s certificate can’t be trusted. Users can then ignore the warning and proceed at their own risk.
Sigh. If you can’t trust the people who issue the ‘trust me’ certificates in the first place then you really can’t trust anyone, can you?