Last month, a Chinese certificate authority issued valid security certificates for a number of domains, including Google’s, without their permission, which resulted in a major trust breach in the crypto chain.
CNNIC had delegated its authority to Egyptian intermediary MCS Holdings to issue the certificates in question and the company installed it in a man-in-the-middle proxy internally.
Google said in its original post that CNNIC had “delegated their substantial authority to an organization that was not fit to hold it.”
Today, the company has updated its post saying it will drop the CNNIC root certificate authority entirely after a joint investigation into what happened, despite the companies confirming that the certificate were never used outside a test lab.
In its post, Google said that “CNNIC Root and EV CAs will no longer be recognized in Google products” and an update will be issued soon for Chrome that removes the provider.
The security provider has come under fire in the past for allegedly performing internet censorship on users inside China, as well as reportedly producing malware.
Those affected have a small window in which Google will allow certificates to be trusted so they have time to issue a new one, before they are marked as invalid.
CNNIC’s CA may eventually be re-added, however, with the post noting that “CNNIC will implement Certificate Transparency for all of their certificates prior to any request for reinclusion.”
All computers trust a number of root certificate providers by default, including CNNIC, however it only takes the relaxed security of one provider to compromise the security of the entire issuing chain.
➤ Maintaining digital certificate security [Google Security Blog]