Google decides to stop trusting CNNIC certificates

In the wake of last week’s incident caused by the issuance of unauthorized digital certificates for a number of Google domains by the hands of MCS Holdings, an intermediate CA operating under the China Internet Network Information Center (CNNIC), Google has decided to make its Chrome browser no longer recognise the digital certificate issued by CNNIC as valid.

“As a result of a joint investigation of the events surrounding this incident by Google and CNNIC, we have decided that the CNNIC Root and EV CAs will no longer be recognized in Google products,” Google Security Engineer Adam Langley announced.

The change will not be immediate – it will happen take effect in a future Chrome update – so that customers who have obtained their certificates from CNNIC will have time to get new ones from another CA so that their online presence is not disrupted.

“While neither we nor CNNIC believe any further unauthorized digital certificates have been issued, nor do we believe the misissued certificates were used outside the limited scope of MCS Holdings’ test network, CNNIC will be working to prevent any future incidents. CNNIC will implement Certificate Transparency for all of their certificates prior to any request for reinclusion,” he concluded.

UPDATE: Despite having worked with Google on getting to the bottom of this problem, CNNIC is obviously surprised by Google’s decision. “The decision that Google has made is unacceptable and unintelligible to CNNIC, and meanwhile CNNIC sincerely urge that Google would take users’ rights and interests into full consideration,” they commented.