• Skip to main content
  • Skip to primary sidebar
  • Skip to footer
  • Home
  • About Darknet
  • Hacking Tools
  • Popular Posts
  • Darknet Archives
  • Contact Darknet
    • Advertise
    • Submit a Tool
Darknet – Hacking Tools, Hacker News & Cyber Security

Darknet - Hacking Tools, Hacker News & Cyber Security

Darknet is your best source for the latest hacking tools, hacker news, cyber security best practices, ethical hacking & pen-testing.

Google Revoking Trust In CNNIC Issued Certificates

April 2, 2015

Views: 981

So another digital certificate fiasco, once again involving China from CNNIC (no surprise there) – this time via Egypt. Google is going to remove all CNNIC and EV CAs from their products, probably with the next version of Chrome that gets pushed out.

Google Revoking Trust In CNNIC Issued Certificates

As of yet, no action has been taken by Firefox – or at least no release has been published.

Following the incident in which an Egypt-based company issued unauthorized digital certificates for several Google domains using an intermediate certificate from the China Internet Network Information Center (CNNIC), the search giant has decided to revoke trust in CNNIC certificates.

The change will take effect in a future Chrome release, Google noted on Wednesday in an update made to its initial blog post on the matter.

“As a result of a joint investigation of the events surrounding this incident by Google and CNNIC, we have decided that the CNNIC Root and EV CAs will no longer be recognized in Google products,” said Google security engineer Adam Langley. “To assist customers affected by this decision, for a limited time we will allow CNNIC’s existing certificates to continue to be marked as trusted in Chrome, through the use of a publicly disclosed whitelist.”

The incident came to light last week, when Google revealed that several unauthorized certificates had been issued by Egypt-based MCS Holdings and installed on an internal firewall device that acted as a man-in-the-middle (MitM) proxy.

CNNIC revoked the intermediate certificate used by MCS Holdings and pointed out that the Egyptian firm should have used it to issue only certificates for domains it had registered.

Proper certs being used for MITM attacks, pretty dodgy indeed. Especially when CNNIC is included in all major root stores this does constitute a fairly serious breach of the Certificate Authority system.

I’m pretty sure CNNIC will be ‘let back in’ at some point, meaning their certs will be reissued and reinstated, but for now – they are OUT!

CNNIC’s certificates are included in all major root stores and Google believes this was a “serious breach of the CA system.” After being alerted by Google, both Mozilla and Microsoft took steps to protect Firefox and Internet Explorer users.

Langley said that while there is no evidence to suggest that other fake certificates have been issued or that the ones from MCS Holdings were used outside of the company’s own network, CNNIC will have to take measures before it can earn Google’s trust again.

“CNNIC will implement Certificate Transparency for all of their certificates prior to any request for reinclusion. We applaud CNNIC on their proactive steps, and welcome them to reapply once suitable technical and procedural controls are in place,” Langley said.

In a brief statement issued on Thursday, CNNIC urged Google to reconsider its decision.

“The decision that Google has made is unacceptable and unintelligible to CNNIC, and meanwhile CNNIC sincerely urge that Google would take users’ rights and interests into full consideration,” CNNIC stated. “For the users that CNNIC has already issued the certificates to, we guarantee that your lawful rights and interests will not be affected.”

Mozilla could also take action against CNNIC, but the company is still discussing options with members of its community.

You can read the full post from Google here: Maintaining digital certificate security

And the statement from CNNIC here: Declaration

Source: Security Week

Share32
Tweet47
Share20
Buffer
WhatsApp
Email
99 Shares

Filed Under: Cryptography, Privacy Tagged With: chrome security, google, google chrome, man-in-the-middle, mitm



Reader Interactions

Comments

  1. Alex L says

    April 4, 2015 at 6:52 am

    Mozilla is following suit and distrusting CNNIC certs – https://blog.mozilla.org/security/2015/04/02/distrusting-new-cnnic-certificates/

    Personally, I’m glad to see the big browsers taking this seriously

Primary Sidebar

Search Darknet

  • Email
  • Facebook
  • LinkedIn
  • RSS
  • Twitter

Advertise on Darknet

Latest Posts

AgentSmith HIDS - Host Based Intrusion Detection

AgentSmith HIDS – Host Based Intrusion Detection

padre - Padding Oracle Attack Tool

padre – Padding Oracle Attack Exploiter Tool

Privacy Implications of Web 3.0 and Darknets

Privacy Implications of Web 3.0 and Darknets

DataSurgeon - Extract Sensitive Information (PII) From Logs

DataSurgeon – Extract Sensitive Information (PII) From Logs

Pwnagotchi - Maximize Crackable WPA Material For Bettercap

Pwnagotchi – Maximize Crackable WPA Key Material For Bettercap

HardCIDR - Network CIDR and Range Discovery Tool

HardCIDR – Network CIDR and Range Discovery Tool

Topics

  • Advertorial (28)
  • Apple (46)
  • Countermeasures (225)
  • Cryptography (82)
  • Database Hacking (89)
  • Events/Cons (7)
  • Exploits/Vulnerabilities (430)
  • Forensics (64)
  • Hacker Culture (8)
  • Hacking News (228)
  • Hacking Tools (681)
  • Hardware Hacking (82)
  • Legal Issues (179)
  • Linux Hacking (72)
  • Malware (238)
  • Networking Hacking Tools (352)
  • Password Cracking Tools (104)
  • Phishing (41)
  • Privacy (218)
  • Secure Coding (118)
  • Security Software (233)
  • Site News (51)
    • Authors (6)
  • Social Engineering (37)
  • Spammers & Scammers (76)
  • Stupid E-mails (6)
  • Telecomms Hacking (6)
  • UNIX Hacking (6)
  • Virology (6)
  • Web Hacking (384)
  • Windows Hacking (169)
  • Wireless Hacking (45)

Security Blogs

  • Dancho Danchev
  • F-Secure Weblog
  • Google Online Security
  • Graham Cluley
  • Internet Storm Center
  • Krebs on Security
  • Schneier on Security
  • TaoSecurity
  • Troy Hunt

Security Links

  • Exploits Database
  • Linux Security
  • Register – Security
  • SANS
  • Sec Lists
  • US CERT

Footer

Most Viewed Posts

  • Brutus Password Cracker – Download brutus-aet2.zip AET2 (2,181,730)
  • Darknet – Hacking Tools, Hacker News & Cyber Security (2,172,350)
  • Top 15 Security Utilities & Download Hacking Tools (2,095,353)
  • 10 Best Security Live CD Distros (Pen-Test, Forensics & Recovery) (1,198,679)
  • Password List Download Best Word List – Most Common Passwords (931,827)
  • wwwhack 1.9 – wwwhack19.zip Web Hacking Software Free Download (774,463)
  • Hack Tools/Exploits (672,589)
  • Wep0ff – Wireless WEP Key Cracker Tool (528,852)

Search

Recent Posts

  • AgentSmith HIDS – Host Based Intrusion Detection August 31, 2023
  • padre – Padding Oracle Attack Exploiter Tool May 28, 2023
  • Privacy Implications of Web 3.0 and Darknets March 31, 2023
  • DataSurgeon – Extract Sensitive Information (PII) From Logs March 21, 2023
  • Pwnagotchi – Maximize Crackable WPA Key Material For Bettercap February 12, 2023
  • HardCIDR – Network CIDR and Range Discovery Tool December 29, 2022

Tags

apple botnets computer-security darknet Database Hacking ddos dos exploits fuzzing google hacking-networks hacking-websites hacking-windows hacking tool Information-Security information gathering Legal Issues malware microsoft network-security Network Hacking Password Cracking pen-testing penetration-testing Phishing Privacy Python scammers Security Security Software spam spammers sql-injection trojan trojans virus viruses vulnerabilities web-application-security web-security windows windows-security Windows Hacking worms XSS

Copyright © 1999–2023 Darknet All Rights Reserved · Privacy Policy