Unauthorized certificates from CNNIC for Google domains
Google has detected several unauthorized digital certificates issued for Google domains. These certificates were issued by an intermediary authority controlled by MCS Holdings, whose certificate was in turn issued by CNNIC (China Internet Network Information Center). According to statements made by Google and CNNIC, these certificates were used in a controlled environment and installed in man-in-the-middle proxies.
Nevertheless, given that the issuance of these unauthorized certificates implies a violation of good practices for certification, Google, Mozilla and Microsoft have removed from their products the trust in the certificates issued by CNNIC and MCS Holdings. Apple has not yet taken any action in this matter.
Nevertheless, given that the issuance of these unauthorized certificates implies a violation of good practices for certification, Google, Mozilla and Microsoft have removed from their products the trust in the certificates issued by CNNIC and MCS Holdings. Apple has not yet taken any action in this matter.
References:
- 23/03/2015 googleonlinesecurity.blogspot.com.es Maintaining digital certificate security
- 25/03/2015 cnnic.cn Clarification on some media’s claim that "CNNIC has issued certificates for MITM attack"
- 23/03/2015 blog.mozilla.org Revoking Trust in one CNNIC Intermediate Certificate
- 24/03/2015 technet.microsoft.com Improperly Issued Digital Certificates Could Allow Spoofing
- 02/04/2015 arstechnica.com Google Chrome will banish Chinese certificate authority for breach of trust [Updated]
- 02/04/2015 zdnet.com Google boots China's main digital certificate authority CNNIC
- 09/04/2015 threatpost.com Apple Leaves CNNIC Root in iOS, OSX Certificate Trust Lists