RAGING Google SLAPS naughty Chinese root cert kingpins CNNIC Google has announced it will no longer recognise the Chinese Internet Network Information Centre (CNNIC) as a Root Certificate Authority, following an investigation into unauthorised certificates issued for several Google domains. Adam Langley, a security engineer at the Chocolate Factory, wrote that Google had become aware of …
It's that CNNIC weren't aware of this, that they didn't shut them down themselves, and just read the tone of their response: "this is unacceptable".
Most browsers have taken the first step of disabling the subsidiaries intermediate CA immediately anyway. The question then lies in how that intermediary was allow to sign something for Google without breaching an agreement with CNNIC or without CNNIC shutting them down themselves (i.e. CNNIC revoking the intermediary immediately).
Fact is, CNNIC control not only a CA but the numbering-authority for China. They should know better. But it's their response to the incident that may cost them their trusted-root status.
I would guess Google saw an opportunity to grab them by the balls and seized their chance. It is always advantageous to hold a 'you do this and we'll do that, or we can leave things as they are now' position; the more someone wants something the more one can get in return.
"...to grab them by the balls..."
This is the CNNIC though. No one grabs them by any part of their body. Whatever the CNNIC says about the Internet, is basically law in China.
The only issue for CNNIC, would be any embarrassment regarding improper behavior. What they did or didn't know about the fake Google certs will be secondary to concerns about whether gov't certificates have been faked. While CNNIC is enormously powerful over Internet concerns, there is always a bigger agency/department over top of them.
That's how it should work. A certificate authority MUST be one hundred percent reliable. Verisign, for example, in their role as certificate authority, must make hundred percent sure that this kind of thing doesn't happen. That is the only justification for their existence, and the reason why they can run a business and make money. If they mess up like this, it is clear evidence that they can't be trusted. And they should then be removed as a root certificate from all operating systems.
I'd sincerely hope that Google passes their findings on to Microsoft, Apple, maybe RedHat, anyone who installs root certificates on users' computers. And that these companies remove that root certificate.
The only way to keep CAs honest is to publicly shame them. I believe that CNNIC was treated lightly (the 1st losers that got their private key public went out of business as a result of disclosure). And lets not forget, CAs make money of trust so they'd better live up to higher standards.
Last I heard, they are coding against certificates issued by the CA after a certain date/time.
They almost certainly have a whitelist/blacklist inside the browser that takes precedence over whatever the user might have in their Windows certificate store.
Yes this will affect Windows and the whole bogus SSL trust system. Technical means are available to stop the charade of trust and replace it with a technically enforceable system. If Google were raging, as the headline suggests the scramble to replace SSL would take weeks, not months.
And, given the apparant way that the Chines govt is using the great Firewall to add malware (the Github DDoS js code) to various files coming from chinese servers, there's a strong case for Google to flag all websites served from behind the Firewall as likely to contain malware. Visit anything.cn at your own risk!
Urgh. Google really don't do politics do they. China will probably now look for something Googly to crush on principle, to the dismay of everyone on board it. You don't make China lose face.
But, if you crank up a couple of meta levels out of the storm layer... they had one job, and they failed. And correct me if I'm wrong but, didn't they consciously *choose* to fail it?
Politics and critical infrastructure. Why do humans suck *so badly* at this game..
Good. Hold the feet of anyone misusing the mechanism to the fire.
As for the Chinese losing face: 8op 8ob 8op There comes a point when acceding to another's sense of propriety has to take a back-seat in the face of mendacity, and the Chinese are past masters of the "oh you are so rude, western barbarian" GOOJF card-play.
Somebody at a higher level than Google better jump into this discussion quick, and with a solution that is technically viable and above politics (we can rule out the Obama administration then).
This is a serious issue that goes beyond just tit-for-tat cert revocations.. we are observing a partitioning of the internet and commercial-technological links along new lines of power that are just now become evident.
The time calls for reasonable discussions by people that actually understand technology and are not looking at their next election/fundraising round/own bottom line when weighing in.
"...we are observing a partitioning of the internet and commercial-technological links along new lines of power that are just now become evident"
You are about 15 years late to that discussion. The whole Great Firewall was seen as a partition from day 1. China's heavy use of IPv6 is another. Wikipedia has been blocked in China for over 10 years.
"The Chocolate Factory state that "While neither we nor CNNIC believe any further unauthorized digital certificates have been issued, nor do we believe the misissued certificates were used outside the limited scope of MCS Holdings’ test network. CNNIC will be working to prevent any future incidents.""
So, How did Google "become aware" of these certificates?
Presumably Chrome reported back to the big Googleplex from inside MCS and ratted them out?
Nice bit of spyware you got there Google.
SSL is the foundation of the modern internet - without 100% trusted CAs it all falls apart.
The only sensible next step is for CNNIC to lose it's root authority - it's a very very slippery slope if they don't.
Even if they do though, most browsers don't check for revocation do they ? so we'd still have a year or so of those certs being accepted by browsers.
The fact google doesn't trust root certs for it's own certificates and uses pinning is telling - unless we want to get into a situation where you need to use the 'barclays browser' for banking, and the 'paypal browser' for paypal, etc root authorities need to be treated as infallible or they lose their root.
.. for having lost so badly to Baidu that they had to pull out (I hope you didn't buy the "they spy on us" excuse, that was just to make them look good while they pulled out of China - the reality was that they couldn't get a profitable foot on the ground).
Thus, now any excuse will do. Remote the Chinese root certs? Yeah, sure, that will help all the companies now operating in China a lot, at least they can now avoid Chrome.
Now, I have no specific love for the Chinese, but who elected Google to engage in politics? This is the second time they go stupid on a large scale, and the grand standing is becoming tiresome. As is Google, actually. It would be novel if they could actually just concentrate on stealing people's personal information and shut up otherwise - there are plenty lawsuits waiting to be dealt with.
Google just took most of the value of the internet away from Chinese business. China net can now mosty talk to itself. That's what they want.problem is how to steal IP and resell it just got 100x more difficult for ChinaNet. RussiaNet is coming soon.
All browsers should revoke CNNIC certificates, not just Google Chrome and Mozilla's Firefox - and with IMMEDIATE effect. There should be no grace period. The faith and trust has already been broken with continued Man-in-the-Middle attacks facilitated by certificates handed out by the CNNIC. This issue is an old one. While working in China in 2009-2011 there were strong concerns that CNNIC certificate approvals might allow the Chinese government to pry into secure browsing sessions. However little was reported and even less was done to deal with the problem. Since 2013 GreatFire.org has continually called for CNNIC certificate revocations but their calls have, until now, been virtually ignored.
But Western tech companies should not stop at revoking these certificates. There is a case for reciprocating blocks on Chinese websites that by way of Chinese censorship capitalize on the restricted market. Baidu. China's main search engine profits from Google's inaccessibility. RenRen have built their business on the back of Facebook's being blocked. WeChat [Weixin], China's version of WhatsApp, SinaWeibo, China's version of Twitter, Taobao, China's Ebay equivalent, Jiepang, China's most successful Foursquare clone, and Youku, China's answer to YouTube, these have all built up massive businesses due to their western counterparts being blocked. There might be an argument concerning inappropriate content being posted on such sites. However by blocking them China has essentially broken WTO rules and created a very uneven playing field when it comes to tech businesses. Indeed it is a form of protectionism.
News websites and TV channels are also routinely blocked including the BBC, NYT, Bloomberg and other websites. BBC World and CNN are also blanked whenever their is a story that China finds uncomfortable.
China should therefore be given a taste of its own medicine. All state media should thus be blocked until western news media bans are lifted. Similarly Baidu, RenRen, Wechat, SinaWeibo, Taobao, Youku, Jiepang and other China based social media sites should also be blocked.
Only by playing hardball with these dictatorships will they begin to change.
And you think revoking CNNIC certificates will make a difference? All that will happen is that there will be a "China-optimised" browser released, probably a fork of Chromium or Firefox, which has the China-authorised certificates in it. And all those Chinese-made Android phones are not going to have this problem, obviously.
As for blocking Baidu etc in the West, would China really be bothered? Ultimately it might end up with China running a completely separate Internet, with nothing but a few SMTP relays joining it to the outside world. Wouldn't that suit them?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
