Google is taking the unusual step of updating Chrome to effectively exile from the Web a Chinese firm tasked with vouchsafing the identity of websites. Google’s move against the Chinese Internet Network Information Center, or CNNIC, comes after the Chinese company allowed an Egyptian firm to issue fake certificates for Google domains.
Mozilla subsequently followed suit with its own CNNIC blackout in its Firefox browser, although it will apply only to certificates issued after April 1, 2015.
Certificate authorities like CNNIC provide the crucial service of verifying that the website you’ve connected to is in fact who it says it is. They do so by issuing digital certificates to sites that browsers can check to ensure that you’ve connected, for instance, to your bank and not an imposter site that can harvest your password and other details. This process is largely invisible to the average Web user, but it underpins the workings of the modern Web.
Google and Mozilla said CNNIC delegated certificate authority to the Egypt-based intermediary MCS Holdings, which in turn issued the fake certificates for Google sites and installed them in “man in the middle” proxy software that could be used to snoop, undetected, on user email, chat and other communications via Google services.
Google security engineer Adam Langley said it was “a serious breach of the certificate authority system” and confirmed that CNNIC will no longer be trusted in an upcoming Chrome update.
Google didn’t provide a timeframe for that update, in order to allow website owners the chance to switch to a different certificate authority. Microsoft has also hinted that it will put a similar ban in place with Internet Explorer.
For its part, CNNIC claims the certificate was intended for testing and was installed on the wrong server due to a human error by MCS Holdings. In its official statement, Google admits this explanation “is congruent with the facts” but says “CNNIC still delegated their substantial authority to an organization that was not fit to hold it.” Mozilla likewise called CNNIC’s action an “egregious practice” that violated its policies on the proper handling and use of certificates.
Google As Gatekeeper
It’s the latest example of Google throwing its substantial weight around in policing the Web—even when its intentions are good, the Mountain View firm carries an almost unstoppable level of clout in making decisions about security and fraud on the Internet, and that means the average Web user is essentially at the whim of Google’s choices.
In a statement posted online, CNNIC called Google’s decision “unacceptable and intelligible.” It went on to say “CNNIC sincerely urge that Google would take users’ rights and interests into full consideration.” CNNIC’s concern is that users will find themselves unfairly locked out of email sites, banking portals and other secured domains verified by the firm.
This tone seems at odds with the diplomatic one used by Google, with Langley hinting that everything could eventually return to normal: “We applaud CNNIC on their proactive steps, and welcome them to reapply once suitable technical and procedural controls are in place.” That would be likely to take a significant amount of time, however.
After this particular kerfuffle has died down, the incident is unlikely to register on the radar of the average Gmail or Google Drive user—indeed, you need a high level of technical knowledge to even understand what’s happened. Nevertheless, it’s a reminder of the need to keep our online guardians under close scrutiny while they make decisions on our behalf.
Photo by MDrX
