2015-04-03

Google, CNNIC, Unauthorized Digital Certificates for Google Domains

Google drops support for Chinese internet security certificates after trust breach | South China Morning Post: "Following what experts called a "major breach of public trust and confidence", Google has announced that it will no longer recognise security certificates issued by the official China Internet Network Information Centre (CNNIC)..." (emphasis added)

"On Friday, March 20th, we [Google] became aware of unauthorized digital certificates for several Google domains. The certificates were issued by an intermediate certificate authority apparently held by a company called MCS Holdings. This intermediate certificate was issued by CNNIC...." (source: Google)


Google Online Security Blog: Maintaining digital certificate security: "Update - April 1: As a result of a joint investigation of the events surrounding this incident by Google and CNNIC, we have decided that the CNNIC Root and EV CAs will no longer be recognized in Google products...."

MCS Response: "On Sunday 22nd March, Google had blamed MCS of issuing a bad digital certificate for a several Google domains using the intertermediate certificate issued by CNNIC (China Internet Network Information Center)...."

CNNIC Response: Clarification on some media’s claim that “CNNIC has issued certificates for MITM attack” On March 24th, some media reported Google's accusation that CNNIC has issued certificates for the Man-in-the-Middle (MITM) attack. In response to this report, CNNIC has the following Clarification.
  1.CNNIC has not issued any certificate for the MITM attack. Google’s online security blog has not accused CNNIC for issuing certificates for the MITM attack either. Reports made by some media are inconsistent with the facts.
  2.MCS, a server certificate partner of CNNIC, has confirmed that the sub-ordinate certificates improperly issued were only used for internal tests in its laboratory, which is a protected environment.
  3.CNNIC has revoked its authorization to MCS on March 22nd.
  4.CNNIC reserves the right to take further legal actions.--China Internet Network Information Center(CNNIC), March 25th, 2015

Declaration - 2015/04/02 
1. The decision that Google has made is unacceptable and unintelligible to CNNIC, and meanwhile CNNIC sincerely urge that Google would take users’ rights and interests into full consideration.
2. For the users that CNNIC has already issued the certificates to, we guarantee that your lawful rights and interests will not be affected. --China Internet Network Information Center(CNNIC)
April 2nd, 2015 (source: CNNIC, emphasis added)

As a result of the above reported incident, Microsoft also immediately issued its own Security Advisory: ".... What are certificates used for? Certificates are used primarily to verify the identity of a person or device, authenticate a service, or encrypt files. Normally you won’t have to think about certificates at all. You might, however, see a message telling you that a certificate is expired or invalid. In those cases you should follow the instructions in the message.

"What is a certification authority (CA)? Certification authorities are the organizations that issue certificates. They establish and verify the authenticity of public keys that belong to people or other certification authorities, and they verify the identity of a person or organization that asks for a certificate.... What might an attacker do with these certificates?
An attacker could use these certificates to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against the following web properties:
*.google.com
*.google.com.eg
*.g.doubleclick.net
*.gstatic.com
www.google.com
www.gmail.com
*.googleapis.com

"What is a man-in-the-middle attack? A man-in-the-middle attack occurs when an attacker reroutes communication between two users through the attacker’s computer without the knowledge of the two communicating users. Each user in the communication unknowingly sends traffic to and receives traffic from the attacker, all the while thinking they are communicating only with the intended user.

"What is Microsoft doing to help with resolving this issue? Although this issue does not result from an issue in any Microsoft product, we are nevertheless updating the CTL and providing an update to help protect customers. Microsoft will continue to investigate this issue and may make future changes to the CTL or release a future update to help protect customers...."


More info on CNNIC: The China Internet Network Information Center, or CNNIC, is the administrative agency responsible for Internet affairs under the Ministry of Information Industry of the People's Republic of China. It is based in the Zhongguancun high tech district of Beijing. It was founded on June 3, 1997 as a non-profit organization. CNNIC is responsible for operating and administering China’s domain name registry. CNNIC manages both the ".cn" country code top level domain and the Chinese Domain Name system (Internationalized domain names that contain Chinese characters).

Domain Mondo archive