Google Chrome has updated its report on miss-issued digital certificates from China and CNNIC, ceasing to support them after a small grace period offered to their current users. Firefox and Microsoft follow the very same steps on the matter.
As you may recall, Google had announced a few days ago that there have been severe security issues with MCS Holdings and CNNIC (China Internet Network Information Center) digital certificates. As a result, the former had been blocked right away and the latter had been under scrutiny. Now, Google has updated its initial blog post and has offered a lot more information to its users. Google Chrome is indeed the second most popular browser internationally and its credibility should in no way be jeopardized. Consequently, the company has decided to block support to the security certificates coming from CNNIC.
In detail, the update from the Security Engineer Adam Langley reports: “As a result of a joint investigation of the events surrounding this incident by Google and CNNIC, we have decided that the CNNIC Root and EV CAs will no longer be recognized in Google products. This will take effect in a future Chrome update. To assist customers affected by this decision, for a limited time we will allow CNNIC’s existing certificates to continue to be marked as trusted in Chrome, through the use of a publicly disclosed whitelist. While neither we nor CNNIC believe any further unauthorized digital certificates have been issued, nor do we believe the non-authorized certificates were used outside the limited scope of MCS Holdings’ test network, CNNIC will be working to prevent any future incidents. CNNIC will implement Certificate Transparency for all of their certificates prior to any request for re-inclusion. We applaud CNNIC on their proactive steps, and welcome them to reapply once suitable technical and procedural controls are in place.”
From the updated announcement, it is clear that there are no actual grudges between Google and CNNIC. Nevertheless, the security vulnerabilities were too grave to ignore and Google could do nothing short of what they have already done. There is a general reassurance as to the scope of the miss-issued certificates, as you can see in the words carefully used above. As far as the problems emerging to the customers who make use of these certificates, there will be a grace period for them to take advantage of. Although it is unclear as to when this period is going to end, the customers will continue on using the very same certificates for now and be prompted to change them at their earliest convenience.
In the light of such events, Firefox and Microsoft have addressed the problem and are taking similar steps towards preventing security breaches and vulnerabilities that could harm their network and clientele. It is definitely optimistic to see that the companies work together and inform one another about the issues that are related to cyber security and privacy. Even though they are competitors and sometimes their interests may be conflicted, at the end of the day there is a common threat that is acknowledged by every single one of the companies and this threat requires cooperation and proactive measures.
Top/Featured image: By Carlosluna via Flickr