The search giant has taken the drastic step after it was revealed that CNNIC had failed to exert adequate controls in allowing an Egyptian company, MCS Holdings, to issue certificates without sufficient safeguards in place.
In taking this step, Google said it had been forced to act as CNNIC had “delegated their substantial authority to an organisation that was not fit to hold it.” The company said the stricture would apply to all Google products. Google's action has been copied by Microsoft and Mozilla has also de-recognised CNNIC until the company gets its house in order.
The problem arose because MCS had been cavalier with its testing process. Google said the company had been told to issue certificates only to those domains that it had registered and to keep the private key in a safe hardware security module (HSM). However, MCS linked to a proxy machine, outside the test lab and provided the proxy machine with the status of a full certificate authority – a highly insecure state of affairs.
Both MCS and CNNIC are crying foul. In a statement on its website, MCS said it had been an unfortunate mistake “MCS confirms that the reported issue is a human mistake that took place unintentionally through a single PC inside MCS Lab which had been dedicated for testing purposes.” and that MCS had a full transparent response for the incident with accurate information."
CNNIC could scarcely contain its anger. It also posted a statement on its site: “The decision that Google has made is unacceptable and unintelligible to CNNIC, and meanwhile CNNIC sincerely urge that Google would take users' rights and interests into full consideration.” Neither company would comment beyond their company statements.
However Google's action met with firm approval from within the IT security industry. TK Keanini, CTO at Lancope applauded the action. “Good job Google! It's a reminder that technology is only part of security. The other part is social, and if you can't play by the rules of the system, you get kicked out! The CA system is built on the foundation that everyone must play by the rules and no one should tolerate abuse.
He added that he hoped Google's action would provide a path for others to follow. “Without this level of consequence much more abuse would occur, so the community should really be thankful that Google took this action in a timely manner,” he added.
CNNIC is not barred indefinitely. In a statement, Google engineer Adam Langley said that the Chinese organisation was working to prevent any future incidents. “CNNIC will implement Certificate Transparency for all of its certificates prior to any request for reinclusion. “We applaud CNNIC on its proactive steps, and welcome it to reapply once suitable technical and procedural controls are in place,” the statement said.
Google would not comment on how it would be working with CNNIC and when it expected the clean bill of health, the company spokeswoman would not go beyond official statements.