Wednesday , 24 July 2019
Breaking News
Google and Mozilla decide to ban Chinese certificate authority CNNIC from Chrome and Firefox

Google and Mozilla decide to ban Chinese certificate authority CNNIC from Chrome and Firefox

The country of China.

The country of China.

Above: The country of China.

Image Credit: IM Global

Gaming execs: Join 180 select leaders from King, Glu, Rovio, Unity, Facebook, and more to plan your path to global domination in 2015. GamesBeat Summit is invite-only — apply here. Ticket prices increase on April 3rd!


Google and Mozilla have announced that their respective browsers will stop trusting all digital certificates issued by the China Internet Network Information Center (CNNIC), China’s main digital certificate authority. The decision follows last week’s news from Google, which said on March 20 it discovered unauthorized digital certificates for several of its domains. Google found that the certificates were issued by Egypt-based MCS Holdings, an intermediate certificate authority that CNNIC allowed to operate.

On April 1, Google updated its blog post with the following statement:

As a result of a joint investigation of the events surrounding this incident by Google and CNNIC, we have decided that the CNNIC Root and EV CAs will no longer be recognized in Google products. This will take effect in a future Chrome update. To assist customers affected by this decision, for a limited time we will allow CNNIC’s existing certificates to continue to be marked as trusted in Chrome, through the use of a publicly disclosed whitelist.

While neither we nor CNNIC believe any further unauthorized digital certificates have been issued, nor do we believe the misissued certificates were used outside the limited scope of MCS Holdings’ test network, CNNIC will be working to prevent any future incidents. CNNIC will implement Certificate Transparency for all of their certificates prior to any request for reinclusion. We applaud CNNIC on their proactive steps, and welcome them to reapply once suitable technical and procedural controls are in place.

Google does not say when this change will go into effect. It likely wants to give affected website operators time to switch to a different certificate authority.

CNNIC responded on April 2 (today) with the following:

1. The decision that Google has made is unacceptable and unintelligible to CNNIC, and meanwhile CNNIC sincerely urge that Google would take users’ rights and interests into full consideration.

2. For the users that CNNIC has already issued the certificates to, we guarantee that your lawful rights and interests will not be affected.

Mozilla followed in Google’s footsteps today:

After reviewing the circumstances and a robust discussion on our public mailing list, we have concluded that CNNIC’s behaviour in issuing an unconstrained intermediate certificate to a company with no documented PKI practices and with no oversight of how the private key was stored or controlled was an ‘egregious practice’ as per Mozilla’s CA Certificate Enforcement Policy. Therefore, after public discussion and consideration of the scope and impact of a range of options, we have decided to update our code so that Mozilla products will no longer trust any certificate issued by CNNIC’s roots with a notBefore date on or after 1st April 2015.

The notBefore date that will be checked is inserted into the certificate by CNNIC. We will therefore be asking CNNIC for a comprehensive list of their currently-valid certificates, and publishing it. After the list has been provided, if a certificate not on the list, with a notBefore date before 1 April 2015, is detected on the public Internet by us or anyone else, we reserve the right to take further action.

Unlike Google, Mozilla is offering CNNIC the option to re-apply for full inclusion in the Mozilla root store. The restriction thus might be removed if CNNIC chooses to complete additional steps and then go through its inclusion process.

If Chrome and Firefox were to stop recognizing all website certificates issued by CNNIC, the impact could be huge in China; millions of users would suddenly not be able to connect to various websites. Presumably, Google and Mozilla will wait a reasonable amount of time before flipping the switch, so website operators can ensure their sites will continue to work as expected.

The Mozilla Foundation is a non-profit organization that promotes openness, innovation and participation on the Internet. Mozilla is best known for the Firefox browser, but we advance our mission through other software projects, grants… read more »

Google’s innovative search technologies connect millions of people around the world with information every day. Founded in 1998 by Stanford Ph.D. students Larry Page and Sergey Brin, Google today is a top web property in all major glob… read more »

Powered by VBProfiles

Article Source

Share and Enjoy

Leave a Reply

Your email address will not be published. Required fields are marked *

*

Email
Print