Chrome no longer to show Chinese government-certified websites

2 Apr 2015

Almost all of China’s websites are soon to be banished from Google Chrome following a major breach of trust with the Chinese government’s internet authority.

The decision comes after the China Internet Network Information Center (CNNIC), who orchestrate affairs for the Chinese government in terms of the internet, were found to be the source of a surge in unauthorised certificates found on that affected a number of the world’s most popular websites leaving them open to cyber-attacks.

Google issued a post denouncing the huge breach of trust that the Chinese internet authority had engaged in saying that almost anyone using their browser, regardless of operating system, would have been vulnerable as it would have tricked the user’s browser to appear as a valid certificate.

According to ArsTechnica, the source of the certificates were found to be originating from the Egypt-based group MCS Holdings who act as an intermediate of CNNIC who were issuing certificates that left many Chrome users open to man-in-the-middle attacks.

“As a result of a joint investigation of the events surrounding this incident by Google and CNNIC, we have decided that the CNNIC Root and EV CAs will no longer be recognized in Google products,” Google have said.

Not limited to Google

Given that this affects a considerable number of websites from the world’s most populous country, Google is now offering an un-defined grace period for site developers to switch their certificates to another provider.

After this, these sites and everything related to CNNIC will be placed on a blacklist on a browser which is reportedly used by over half of the country at 52pc.

Even more worryingly for Chinese users is that Mozilla have responded to questions over whether they will follow a similar action to Google and have since responded by saying they’re looking into the possibility.

“We believe it is very important to include the Mozilla community in these discussions, so we are taking a bit longer to announce our official plan. We expect to wrap up our discussion in mozilla.dev.security.policy soon, and in the meantime you can see the plan we are currently discussing here,” Mozilla’s cryptographic engineering manager, Richard Barnes, said.

Google China image via Shutterstock

Colm Gorey was a senior journalist with Silicon Republic

editorial@siliconrepublic.com