Mozilla joins Google in banning China’s web registrar over security breach
The Mozilla Foundation, the organization which develops the Firefox web browser, has joined Google in saying that it will stop trusting all new digital certificates issued by the China Internet Network Information Center (CNNIC). The move comes in response to a major breach of trust that saw unauthorized credentials issued for Gmail and several other Google domains.
CNNIC is the body responsible for overseeing China’s web infrastructure. What this means is that both Firefox and Chrome will stop accepting certificates from most websites in the .cn domain. In practical terms, it means that Firefox and Chrome users will receive a pop-up warning every time they access a .cn site, warning them of possible risks to their security.
Google and Mozilla took the decision about two weeks after what they described as a major security breach. Last month, Google discovered that an Egyptian IT company named MCS Holdings had been misusing certificates, having obtained them from CNNIC. Google claims MCS Holdings used the certificates to create a “man-in-the-middle” proxy, which allowed it to intercept web user’s communications by pretending to be the intended destination for users. Google put the blame squarely on CNNIC’s shoulders, although the Chinese governing body says it only issued a certificate to MCS on condition it used it for domains it had registered.
“This explanation is congruent with the facts. However, CNNIC still delegated their substantial authority to an organization that was not fit to hold it,” Adam Langley, a security engineer at Google, said in a blog post.
Google said its decision won’t take effect immediately however. In order to give website operators time to obtain new credentials from another certificate issuing authority, the web giant said it will wait for an unspecified period of time before it stops recognizing CNNIC-issued certificates. But once that period of grace ends, both Chrome and Firefox will blacklist CNNIC’s root certificates.
Unsurprisingly, CNNIC, which has carried out its own investigation into the security breach, slammed Google for its actions.
“The decision that Google has made is unacceptable and unintelligible to CNNIC, and meanwhile CNNIC sincerely urge that Google would take users’ rights and interests into full consideration,” CNNIC wrote on its website.
However, Google did say it would be willing to welcome CNNIC back into the fold at a later date.
“While neither we nor CNNIC believe any further unauthorized digital certificates have been issued, nor do we believe the misissued certificates were used outside the limited scope of MCS Holdings’ test network, CNNIC will be working to prevent any future incidents,” Langley wrote. “We applaud CNNIC on their proactive steps, and welcome them to reapply once suitable technical and procedural controls are in place.”
Image credit: New2738 via Pixabay.com
A message from John Furrier, co-founder of SiliconANGLE:
Your vote of support is important to us and it helps us keep the content FREE.
One click below supports our mission to provide free, deep, and relevant content.
Join our community on YouTube
Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.
THANK YOU