Chinese Internet authority clashes with Google over digital certificates

02.04.2015
A Chinese Internet administrator blasted Google on Thursday, after the U.S. search giant decided to stop recognizing digital certificates issued by the group following a security lapse.

"The decision that Google has made is unacceptable and unintelligible," China's Internet Network Information Center (CNNIC) said in an online posting.

Google's decision means that its Chrome browser could end up clashing with sites served by the Chinese Internet agency.

On Wednesday, Google explained the move in an update to an earlier blog posting. The company is still concerned by the way CNNIC issued a certificate to an IT company based in Egypt that misused it in a botched security test.

Google and CNNIC conducted a joint investigation, but despite the effort, the U.S. company decided to drop the Chinese Internet agency as a recognized root certificate authority.

However, Google signaled that this was only a temporary measure. For a limited time, the Chrome browser will trust existing CNNIC-issued certificates.

"We applaud CNNIC on their proactive steps, and welcome them to reapply once suitable technical and procedural controls are in place," Google added.

If a standoff ensues, Google's decision has the potential to hamper the Chinese Internet agency's reach. Upon encountering new CNNIC-issued certificates, the Chrome browser will issue a warning, alerting the user to the access risks.

The digital certificates are important, because if abused, they could be deployed to conduct hacking attacks against unsuspecting users.

CNNIC administers China's Internet infrastructure, and runs the .cn domain name system. But the agency is also linked with the Chinese government, which has been accused of launching cyberattacks against U.S. companies and activist groups.

This recent dispute, however, has more to do with the potential for abuse than any actual hacking attempt.

Last month, CNNIC issued a so-called intermediate CA certificate to an Egyptian IT company called MCS Holdings for internal testing, but the company then used it for other purposes. Intermediate certificates allow their owners to issue certificates for any domain names on the Internet, so their use should be strictly controlled.

Following the incident, CNNIC revoked the certificate. MCS Holdings attributed the misuse to human error.

On Thursday, CNNIC said customers issued with existing certificates would not be affected by Google's decision. But the Internet agency could face trouble in securing new customers.

By dropping CNNIC, Google is indirectly driving more business to competing certificate authorities, said F-Secure security advisor Su Gim Goh.

"You will most likely want to purchase from someone else, so that your business won't be affected," Goh said, adding. "It's definitely an interesting move, let's see what the other browsers do."

Microsoft and Mozilla did not immediately respond for comment. Last month, Mozilla also took action and revoked the CNNIC-issued certificate misused by MCS Holdings.

Michael Kan