Google Disavows CNNIC Certificates

Friday, April 3, 2015 @ 11:04 AM gHale

In the wake of last week’s incident caused by unauthorized digital certificates issued for Google domains by MCS Holdings, an intermediate CA operating under the China Internet Network Information Center (CNNIC), Google will not allow its Chrome browser to recognize the digital certificate issued by CNNIC.

“As a result of a joint investigation of the events surrounding this incident by Google and CNNIC, we have decided that the CNNIC Root and EV CAs will no longer be recognized in Google products,” Google Security Engineer Adam Langley said in a blog post.

Rogue Digital Certificate Revoked
Surveillance Malware Hides as Legit Software
Regin: ‘Complex Software’
Updated Malware Boosts Espionage Tool

The change will not be immediate as it will take effect in a future Chrome update. That means users who have obtained their certificates from CNNIC will have time to get new ones from another CA.

“While neither we nor CNNIC believe any further unauthorized digital certificates have been issued, nor do we believe the mis-issued certificates were used outside the limited scope of MCS Holdings’ test network, CNNIC will be working to prevent any future incidents. CNNIC will implement Certificate Transparency for all of their certificates prior to any request for reinclusion,” Langley said.

Leave a Reply

You must be logged in to post a comment.