According to reports, Google started a big war with the biggest web registrar in China. In a company security blog, Google boldly claimed that the new HTTPS certificates from China would no longer be registered. With these certificates being from the China Internet Network Information Center, also referred to as CNNIC, the registrar is being cut from the SSL system that provides web security.
To ensure that web content cannot be intercepted during transit, HTTPS certificates are essential. This is most important for content that is expressed as a symbol of a padlock by the address bar in the browser. In addition, CNNIC is what oversees the process for the entire web in China. Therefore, Google’s move could have a major impact for the company and its relationship with China from this point on.
Apparently, Google’s move was due to poor behavior presented by CNNIC. As an example, last month one certificate was used by a web company in Egypt to serve as a middle-man attack. Once the investigation had concluded, it was decided by Google that CNNIC was careless in the use of their certificates.
As expected, this is being strongly protested by CNNIC and in exchange, the organization has vowed there would be no effect on users. In a statement from a CNNIC representative, the decision that Google made is unacceptable and unintelligent. While all of this is going on is to genuinely encourage Google to consider the rights and interest of users.
Although the news sounds horrible, in fact it may not impact China as much as imagined. The reason is that old CNNIC certificates are still up and functioning. Although CNNIC cannot deal with new issues immediately, the organization is already working hard to gain recertification by going through the Certificate Transparency process that Google maintains.
For some time, the use of HTTPS has been discouraged by the Chinese government for many web companies looking to reinforce the Great Firewall. Because of this, share in the certificate market has dropped significantly. In fact, CNNIC certificates currently used account for less than 1%.
The Chinese web is already facing major issues after DDoS attacks against GreatFire.org and Github’s mirror sites. Authorities believe both of those attacks were spearheaded by the Great Firewall.
For Google to make such a move is extremely rare but the decision stresses beliefs in the importance of maintaining SSL security for the web as a whole. Because Chrome is the biggest web browser, settings are being changed so most certificate authorities are forced to accept better practices that go well beyond web trust.
In February, something similar was seen when bad certificated created by Lenovo Superfish adware left websites scrambling. Ultimately, the majority of those certificates were picked up by Windows Defender thanks to the sophisticated abilities of the program.