{"id":3896,"date":"2015-04-02T23:41:55","date_gmt":"2015-04-02T15:41:55","guid":{"rendered":"https:\/\/www.darknet.org.uk\/?p=3896"},"modified":"2015-09-09T19:36:39","modified_gmt":"2015-09-09T11:36:39","slug":"google-revoking-trust-in-cnnic-issued-certificates","status":"publish","type":"post","link":"https:\/\/www.darknet.org.uk\/2015\/04\/google-revoking-trust-in-cnnic-issued-certificates\/","title":{"rendered":"Google Revoking Trust In CNNIC Issued Certificates"},"content":{"rendered":"<p>So another digital certificate fiasco, once again involving China from CNNIC (no surprise there) &#8211; this time via Egypt. Google is going to remove all CNNIC and EV CAs from their products, probably with the next version of Chrome that gets pushed out.<\/p>\n<p align=\"center\"><img decoding=\"async\" src=\"https:\/\/farm8.staticflickr.com\/7622\/16824455079_867877060b.jpg\" alt=\"Google Revoking Trust In CNNIC Issued Certificates\" \/><\/p>\n<p>As of yet, no action has been taken by Firefox &#8211; or at least no release has been published.<\/p>\n<blockquote><p>Following the incident in which an Egypt-based company issued unauthorized digital certificates for several Google domains using an intermediate certificate from the China Internet Network Information Center (CNNIC), the search giant has decided to revoke trust in CNNIC certificates.<\/p>\n<p>The change will take effect in a future Chrome release, Google noted on Wednesday in an update made to its initial blog post on the matter.<\/p>\n<p>\u201cAs a result of a joint investigation of the events surrounding this incident by Google and CNNIC, we have decided that the CNNIC Root and EV CAs will no longer be recognized in Google products,\u201d said Google security engineer Adam Langley. \u201cTo assist customers affected by this decision, for a limited time we will allow CNNIC\u2019s existing certificates to continue to be marked as trusted in Chrome, through the use of a publicly disclosed whitelist.\u201d<\/p>\n<p>The incident came to light last week, when Google revealed that several unauthorized certificates had been issued by Egypt-based MCS Holdings and installed on an internal firewall device that acted as a man-in-the-middle (MitM) proxy.<\/p>\n<p>CNNIC revoked the intermediate certificate used by MCS Holdings and pointed out that the Egyptian firm should have used it to issue only certificates for domains it had registered.<\/p><\/blockquote>\n<script async src=\"https:\/\/pagead2.googlesyndication.com\/pagead\/js\/adsbygoogle.js?client=ca-pub-3033787195489589\"\r\n     crossorigin=\"anonymous\"><\/script>\r\n<!-- Darknet Responsive Post Ad Links [previously link ad unit] -->\r\n<ins class=\"adsbygoogle\"\r\n     style=\"display:block\"\r\n     data-ad-client=\"ca-pub-3033787195489589\"\r\n     data-ad-slot=\"5456620019\"\r\n     data-ad-format=\"auto\"><\/ins>\r\n<script>\r\n     (adsbygoogle = window.adsbygoogle || []).push({});\r\n<\/script>\n<p>Proper certs being used for MITM attacks, pretty dodgy indeed. Especially when CNNIC is included in all major root stores this does constitute a fairly serious breach of the Certificate Authority system.<\/p>\n<p>I&#8217;m pretty sure CNNIC will be &#8216;let back in&#8217; at some point, meaning their certs will be reissued and reinstated, but for now &#8211; they are OUT!<\/p>\n<blockquote><p>CNNIC\u2019s certificates are included in all major root stores and Google believes this was a \u201cserious breach of the CA system.\u201d After being alerted by Google, both Mozilla and Microsoft took steps to protect Firefox and Internet Explorer users.<\/p>\n<p>Langley said that while there is no evidence to suggest that other fake certificates have been issued or that the ones from MCS Holdings were used outside of the company\u2019s own network, CNNIC will have to take measures before it can earn Google\u2019s trust again.<\/p>\n<p>\u201cCNNIC will implement Certificate Transparency for all of their certificates prior to any request for reinclusion. We applaud CNNIC on their proactive steps, and welcome them to reapply once suitable technical and procedural controls are in place,\u201d Langley said.<\/p>\n<p>In a brief statement issued on Thursday, CNNIC urged Google to reconsider its decision.<\/p>\n<p>\u201cThe decision that Google has made is unacceptable and unintelligible to CNNIC, and meanwhile CNNIC sincerely urge that Google would take users\u2019 rights and interests into full consideration,\u201d CNNIC stated. \u201cFor the users that CNNIC has already issued the certificates to, we guarantee that your lawful rights and interests will not be affected.\u201d<\/p>\n<p>Mozilla could also take action against CNNIC, but the company is still discussing options with members of its community.<\/p><\/blockquote>\n<p>You can read the full post from Google here: <a href=\"http:\/\/googleonlinesecurity.blogspot.ro\/2015\/03\/maintaining-digital-certificate-security.html\">Maintaining digital certificate security<\/a><\/p>\n<p>And the statement from CNNIC here: <a href=\"http:\/\/www1.cnnic.cn\/AU\/MediaC\/Announcement\/201504\/t20150402_52049.htm\">Declaration<\/a><\/p>\n<p>Source: <a href=\"http:\/\/www.securityweek.com\/google-revoke-trust-cnnic-certificates\">Security Week<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>So another digital certificate fiasco, once again involving China from CNNIC (no surprise there) &#8211; this time via Egypt. Google is going to remove all CNNIC and EV CAs from their products, probably with the next version of Chrome that gets pushed out. As of yet, no action has been taken by Firefox &#8211; or [&hellip;]<\/p>\n","protected":false},"author":25,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_seopress_robots_primary_cat":"","_seopress_titles_title":"","_seopress_titles_desc":"So another digital certificate fiasco, once again involving China from CNNIC (no surprise there) - this time via Egypt.","_seopress_robots_index":"","_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[26,17],"tags":[4813,83,3245,1201,1198],"featured_image_src":null,"featured_image_src_square":null,"author_info":{"display_name":"Darknet","author_link":"https:\/\/www.darknet.org.uk\/author\/darknet\/"},"_links":{"self":[{"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/posts\/3896"}],"collection":[{"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/users\/25"}],"replies":[{"embeddable":true,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/comments?post=3896"}],"version-history":[{"count":0,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/posts\/3896\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/media?parent=3896"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/categories?post=3896"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/tags?post=3896"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}