Friday, April 03, 2015

Google, Mozilla slam door on China’s root certificate authority

Ouch, that hurt. But the decision could be more than a slap in the face for China.

Core elements of Internet security

Root certificates are one of the most important core elements of safe browsing. Indeed they are integral to how a browser "knows" it has reached Barclay's Bank or American Express or not.

Indeed SSL [security socket layer] is the foundation of the modern Internet, and without 100% trusted CAs [certificate authorities] it all falls apart.

Alarm bells

So when Google discovered in March that unauthorised security certificates were issued to several of its own domains more than a few alarms went off [ArsTechnica].

An investigation began conducted with the help of the CNNIC [China Internet Network Information Center], and it became clear that there was a problem with MCS Holdings, a Cairo-based firm contracted by the CNNIC to provide certificates.

And while Google has acknowledged the CNNIC's help in the investigation, it sees no option other than to revoke acceptance of certificates issued by the CNNIC.

The CNNIC have responded angrily saying Google's decision was "unacceptable and unintelligible" [BBC].

Losing trust

However, the issue is one of trust. A certificate authority MUST be 100% reliable. Verisign, for example, in their role as a certificate authority, must make 100% sure that this kind of thing doesn't happen. That is the only justification for their existence, and the reason why they can run a business and make money. If they messed up, as the CNNIC appears to have done, it is clear evidence that they can't be trusted. And, given the breach of trust, they should then be removed as a root certificate from all operating systems.

There is a concern that while Google and Mozilla are rolling out updates to their browsers which will removed the trusted certificates, some browsers may not be updated and potentially leave users open to malware risks.

For updated browsers, users will be presented with a warning screen before being asked if they want to proceed to the "unsecure" site.

Long term issues

However, there will be some exceptions. Google has offered a grace period to some major CNNIC-approved sites, such as banks, so they can obtain certificates from a different issuing authority.

Since the CNNIC is responsible for providing certificates for websites with a .cn or China domain name, millions of sites would likely be affected. For those accessing Chinese sites from abroad being presented with a warning could lead to quite a bit of concern. Indeed it could significantly affect traffic flows if Internet users navigate away.

The only solution for many websites would be to obtain a new certificate from another CA. However, since the state owned CNNIC is the only body issuing such certificates in China many administrators may well encounter problems.

Past issues

The concerns surrounding CNNIC root certificates are far from new. In 2010 there were a few voices that suggested CNNIC certificate approvals which might allow the Chinese government to pry into secure browsing sessions, something which fuelled existing concerns of companies and individuals operating in China at the time.

Ironically this was at a time when Google found itself in a war of words with Chinese authorities over hacking and censorship [tvnewswatch: Chinese officials talk out of their hat].

There was also talk at the time that suggested Google's decision to up sticks might have been something to do with Adwords, through which it makes much of its money. According to one article published at the time, Google might have been experiencing click fraud on a massive scale. There was, the author suggests a campaign in China which has seen clicks on advertisements despite people staying on a particular site for less than 0.0 seconds. Google earns money from an advertiser every time someone clicks an Adwords link. If the report is to be believed then Google could have potentially lost millions of dollars should it have been made public, since it would be forced to reimburse advertisers. In addition, revealing that it was suffering click fraud on a massive scale in China might have undermined confidence in other markets.

Malware attacks

More recently China was blamed for orchestrating DDoS attacks on GitHub by exploiting a javascript exploit. According to the New York Times the attacks appeared to hijack advertising and analytics traffic intended for Baidu, China's largest search company, and then send that traffic to smaller websites in what is known as a distributed denial of service or DDoS attack [BBCNetresec].  

None of this is good news for Internet users, both inside and outside China. With organisations such as highlighting these risks some time ago and with continued Man-in-the-Middle hacking attacks, something was eventually going to snap.

"We've been calling for this action for more than a year," said Charlie Smith of, which monitors Chinese internet censorship. "The Chinese authorities have maliciously been using their power as a certificate authority to launch dangerous attacks that compromise sensitive user information across many foreign media platforms,"

Building walls

And so now two major browser manufacturers have finally called time on the CNNIC's credibility as a CA.

China may back down and allow web administrators to obtain certificates from Verisign or other CA. But what is just as likely is a raising of the wall.

Bit by bit the Great Firewall of China is being built higher still, but the walls are now being built on the outside too.

tvnewswatch, London, UK