Both Google and Mozzila agreed that China Internet Network Information Center (CNNIC) violated several policies. Google has announced that its web browser Chrome and other products will no longer recognize security certificates issued by the CNNIC, the government agency that oversees China’s domain name registry. The Mozilla Foundation rejected new digital certificates issued by the China Internet Network Information Center in its products, but will continue to trust certificates that already exist.
Security engineers working for Google company became aware in March this year of unauthorized digital certificates for several Google domains. The certificates were issued by an intermediate certificate authority apparently held by a company called MCS Holdings stationed in Egypt. This intermediate certificate was issued by CNNIC. Mozilla was notified that a Certificate Authority (CA) from China had issued an unconstrained intermediate certificate, which was subsequently used by the recipient to issue certificates for domain names the holder did not own or control.
Chinese giant is included in all major root stores and so the misssued certificates would be trusted by almost all browsers and operating systems. Chrome on Windows, OS X, and Linux, ChromeOS, and Firefox 33 and greater would have rejected these certificates because of public-key pinning, although misissued certificates for other sites likely exist.
Intermediary certificates inherit the power of the issuing certificate authority and can be used to issue trusted certificates for domain names owned by other organizations.
MCS is one of a major security products distributor in Egypt and Middle East and had a very successful security projects delivery and implementation in Egypt through its partners, and owns a direct partnership with a world wide largest IT security companies like Intel Security, Palo Alto Networks, Gemalto, and Riverbed. MCS had signed an official demonstration agreement with CNNIC on date 11th March, 2015 to test newly, planned to be introduced, secure cloud based services in the Middle East region.
However, allegedly due to human error, the certificate was installed in a firewall device that had HTTPS (HTTP Secure) traffic inspection capabilities. The device automatically used it to generate certificates for domain names owned by Google in the process of intercepting HTTPS traffic between an internal MCS Holdings computer and Google’s services. Google became aware of the unauthorized certificates for its Web properties because of a feature in Chrome that reported them to the company. After an analysis of the incident, Mozilla established that CNNIC violated several policies by issuing the intermediate certificate to MCS Holdings in the first place.
MCS confirms that the reported issue is a human mistake that took place unintentionally through a single PC inside MCS Lab which had been dedicated for testing purposes. Quoting google spokesman, confirms: “We have no indication of abuse, and we are not suggesting that people change passwords or take other action”. Claims by some public reports are inconsistent with statement by Google spokesman for abuse or spying activity for any traffic: “Google does not, however, believe the certificates were used for that purpose”. As stated by Google spokesman.
In a practical sense Mozilla’s and Google’s actions would have the same effect: their respective products will reject new CNNIC-issued certificates until the Chinese authority goes through a re-certification process. “To assist customers affected by this decision, for a limited time we will allow CNNIC’s existing certificates to continue to be marked as trusted in Chrome, through the use of a publicly disclosed whitelist.”
Like Google, Mozilla is offering CNNIC the option to reapply for full inclusion. The restriction thus might be removed assuming CNNIC meets Google’s and Mozilla’s requirements. If Chrome and Firefox were to stop recognizing all website certificates issued by CNNIC, the impact could be huge in China; millions of users would suddenly not be able to connect to various websites.