Google has announced that it is banning all the security certificates issued by China’s Website Certificate Authority after a major security breach. Google says that it became aware of unauthorized digital certificates for several Google domains.
The certificates were issued by an intermediate certificate authority apparently held by a company called MCS Holdings. This intermediate certificate was issued by CNNIC.
The ban is significant considering that all .cn country code domains have security certificates issued by CNNIC. In fact, all other websites operating a specific Chinese identity may also be affected considering that their security certificates won’t be accepted by Chrome browsers anymore.
Google explains that CNNIC is included in all major root stores and so the mis-issued certificates would be trusted by almost all browsers and operating systems. Chrome on Windows, OS X, and Linux, ChromeOS, and Firefox 33 and greater would have rejected these certificates because of public-key pinning, although mis-issued certificates for other sites likely exist.
Goole further said that it had promptly alerted CNNIC and other major browsers about the incident, and blocked the MCS Holdings certificate in Chrome with a CRLSet push. CNNIC responded on the 22nd to explain that they had contracted with MCS Holdings on the basis that MCS would only issue certificates for domains that they had registered.
Though CNNIC’s explanation was congruent with the incident,