- Jan 24, 2011
- 9,378
Last month, a Chinese certificate authority issued valid security certificates for a number of domains, including Google’s, without their permission, which resulted in a major trust breach in the crypto chain.
CNNIC had delegated its authority to Egyptian intermediary MCS Holdings to issue the certificates in question and the company installed it in a man-in-the-middle proxy internally.
Google said in its original post that CNNIC had “delegated their substantial authority to an organization that was not fit to hold it.”
Today, the company has updated its post saying it will drop the CNNIC root certificate authority entirely after a joint investigation into what happened, despite the companies confirming that the certificate were never used outside a test lab.
In its post, Google said that “CNNIC Root and EV CAs will no longer be recognized in Google products” and an update will be issued soon for Chrome that removes the provider.
The security provider has come under fire in the past for allegedly performing internet censorship on users inside China, as well as reportedly producing malware.
Those affected have a small window in which Google will allow certificates to be trusted so they have time to issue a new one, before they are marked as invalid.
Read more: http://thenextweb.com/insider/2015/...oot-certificate-authority-after-trust-breach/
CNNIC had delegated its authority to Egyptian intermediary MCS Holdings to issue the certificates in question and the company installed it in a man-in-the-middle proxy internally.
Google said in its original post that CNNIC had “delegated their substantial authority to an organization that was not fit to hold it.”
Today, the company has updated its post saying it will drop the CNNIC root certificate authority entirely after a joint investigation into what happened, despite the companies confirming that the certificate were never used outside a test lab.
In its post, Google said that “CNNIC Root and EV CAs will no longer be recognized in Google products” and an update will be issued soon for Chrome that removes the provider.
The security provider has come under fire in the past for allegedly performing internet censorship on users inside China, as well as reportedly producing malware.
Those affected have a small window in which Google will allow certificates to be trusted so they have time to issue a new one, before they are marked as invalid.
Read more: http://thenextweb.com/insider/2015/...oot-certificate-authority-after-trust-breach/