Google said on its official security blog it would no longer recognise the China Internet Network Information Center (CNNIC) certificate authorities, after a joint investigation between the company and CNNIC into a potential security lapse last month.
Google’s Chrome users may get a warning when attempting to visit sites certified by CNNICCNNIC, which plays a central role in administering China’s internet by allocating and certifying IP addresses and web domain names, urged Google to consider user rights and interests.
“The decision that Google has made is unacceptable and unintelligible,” the agency said in a statement on its website.
CNNIC’s certificates came under scrutiny after an official Google blog post said the Chinese agency had allowed Cairo-based MCS Holdings to issue unauthorised certificates for various Google domains.
That rendered connections between users and those websites vulnerable to ‘man-in-the-middle’ hacking attacks, Google said.
Microsoft and Mozilla also removed trust of those unauthorized certificates last week, following Google’s post.
“While neither we nor CNNIC believe any further unauthorized digital certificates have been issued, nor do we believe the misissued certificates were used outside the limited scope of MCS Holdings’ test network, CNNIC will be working to prevent any future incidents,” Google said on Wednesday.
CNNIC was welcome to reapply for recognition “once suitable technical and procedural controls are in place,” and CNNIC’s existing certificates would be trusted for a limited time through a whitelist.
MCS Holdings said in a statement on its website last week that the security lapse was the result of human error following testing of certificates issued to it by CNNIC, which was meant to take place in a controlled environment.