Google and China clash over web security certificates

Goolge and China have clashed over a digital certificates security issue

The Chinese certificate authority (CA) at the centre of the Mac, Windows and Linux unauthorised digital certificates scandal has snapped back at Google’s decision to no longer recognise its work.

Google’s announcement will see Chrome users deterred from visiting sites with certificates served by the China Internet Network Information Centre (CNNIC), and effectively discouraged from visiting sites hosted in the country.

The decision followed a joint investigation between the two parties, but the conclusion has not pleased the CNNIC.

Google is making its move slowly, saying that it will drop recognition in a future Chrome update and will, for a period, allow certificates to be trusted.

“We have decided that the CNNIC Root and EV CAs will no longer be recognised in Google products. This will take effect in a future Chrome update,” the firm said.

“We will allow CNNIC’s existing certificates to continue to be marked as trusted in Chrome through the use of a publicly disclosed whitelist.”

Google “applauded” the Chinese authority for its proactive effort to prevent further incidents, but the statement has an air of disapproval.

“CNNIC will be working to prevent any future incidents. CNNIC will implement Certificate Transparency for all of their certificates prior to any request for reinclusion,” it added.

“We applaud CNNIC on their proactive steps, and welcome them to reapply once suitable technical and procedural controls are in place.”

The CNNIC response is not so soft and accuses Google of a reaction that will harm user rights and interests. The firm promises to stick by those users.

“The decision that Google has made is unacceptable and unintelligible to CNNIC, and meanwhile CNNIC sincerely urge that Google would take users’ rights and interests into full consideration,” it said.

“For the users that CNNIC has already issued the certificates to, we guarantee that your lawful rights and interests will not be affected.”

Google, and Mozilla, blocked the bogus certificates that could be used to target Mac, Windows and Linux users in late March.

Google security engineer Adam Langley said in a threat advisory that the problem affects numerous systems, and confirmed the role of the CNNIC.

“The certificates were issued by an intermediate CA apparently held by a company called MCS Holdings. This intermediate certificate was issued by CNNIC,” read the advisory.

“CNNIC is included in all major root stores so the mis-issued certificates would be trusted by almost all browsers and operating systems.

“We promptly alerted CNNIC and other major browsers about the incident, and we blocked the MCS Holdings certificate in Chrome with a CRLSet push.”

Langley added that the certificates are dangerous as they could be used to intercept web users’ communications.

“Rather than keep the private key in a suitable Hardware Security Module, MCS Holdings installed it in a man-in-the-middle proxy,” he explained.

“These devices intercept secure connections by masquerading as the intended destination and are sometimes used by companies to intercept their employees’ secure traffic for monitoring or legal reasons.”

Mozilla issued a separate threat advisory, promising Firefox users that it is addressing the problem.

“While this is not a Firefox-specific issue, to protect our users we are adding the revoked certificate to OneCRL, our mechanism for directly sending revocation information to Firefox which will be shipping in Firefox 37,” read the advisory.

“We recommend that all users upgrade to the latest version of Firefox. Firefox 37 and future releases of Firefox (including Firefox 38 ESR) will contain OneCRL which will be used for this certificate revocation and for future certificate revocations of this type.”

Bogus certificates have been a growing problem for security professionals. Microsoft rushed to fix an improperly issued SSL certificate for the live.fi domain earlier in March.

Greatfire.org reported in January seeing a surveillance campaign in China targeting Outlook users using a bogus certificate.

If the article suppose to have a video or a photo gallery and it does not appear on your screen, please Click Here

2 April 2015 | 10:42 am – Source: v3.co.uk

[ad_2]

Leave a Reply

Your email address will not be published.