Google announced that its full line of products no longer recognize the CNNIC root certificate (Bo translation)

Google online security blog

In late March,A sudden storm swept through the network that Han Han that several countries ...... summary,Google on March 23 published an article on the issue of the certificate Bowen,Directed at CNNIC,1 Update again this month,And made clear the attitude of the CNNIC,Routing can not personally comment on this matter,Just translate the original article here,A standard content can not say, but at least on a lot better than the online translation when practiced on it ..................。

Google online security blog
Google online security blog

 

Digital certificates Security Maintenance

Posted: Monday, March 23, 2015

Posted by Adam Langley, Safety Engineer
In March 20,That is, on Friday, We began to notice some of the unauthorized digital certificates on the Google domain。These certificates are issued at a mid-level certificate authority,It comes from a company called MCS Holdings s company。 These intermediate certificates issued from CNNIC

CNNIC is included in all of the major root store,Therefore, these errors may be issued a certificate about all browsers and operating systems trust。Windows, OS X, Linux, Chrome browser and Firefox ChromeOS system 33 And more browsers will be because public-key pinning He refused to issue these certificates, Although it is possible for other sites wrong certificate issued。

We promptly informed of this matter CNNIC and other mainstream browsers,And using an in ChromeCRLSets Push the shield of a certificate from the MCS Holdings。CNNIC No. 22 responded and explained that they signed a contract MCS certified sites only give them certificates and MCS Holdings。however,Compared to the private key in a suitable HSM, MCS install them in an intermediary agent。These devices masquerading as the intended destination for intercepting secure connections and are sometimes the company to monitor or intercept other legitimate grounds for the safety of employees transmission line。Usually the employee's computer must be set to trust the agent to be able to do it。however,under these circumstances,Agents are assumed to be granted the right to a public CA,This is a serious violation of the CA system。The situation with the 2013ANSSI of a mistakesimilar。

This interpretation is consistent with reality。However, CNNIC still entrust their weight in an organization has its inappropriate。

Chrome users do not need to take any action to protect CRLSet update。 We do not have any signs of abuse,We do not recommend that people change the password or take other measures。At the same time we are considering more appropriate next action。

one more time,This event highlightsCertificate transparentEfforts for the future protection certificate security is very important。

(Details of the software vendor's certificate chain inHere​查看。)

April 1 Update: As a key on its findings around Google and CNNIC events in, We decided to root certificates of CNNIC EV CAs and will not be acknowledged Google products。This will be achieved in the next update Chrome。To help the user to accept the decision,By using the white list publicly disclosed manner,In the limited time we will allow CNNIC existing certificate in Chrome continues to be marked as trusted。Although we do not believe there is any further CNNIC unauthorized digital certificate has been issued,Nor do we believe the limits beyond those certificates issued by mistake been used to test network of MCS Holdings,CNNIC will strive to avoid any further incidents。CNNIC to implement all previous certificates for their certificate transparent in order to be re-included (Translator's note:It translated phrase nowhere ......)。We applaud the positive steps CNNIC,And they are welcome to re-apply once an institution has appropriate technical and procedural controls。

 


correct,This is in response to CNNIC see the article published after No. 2:

CNNIC response
CNNIC response

one、CNNIC Google's decision to make that it is difficult to understand and accept,And urges Google and give full consideration to protect the interests of users。
two、CNNIC will effectively protect the user's existing unaffected。


 

China Internet Network Information Center(China Internet Network Information Center,Abbreviated as CNNIC),It is approved by the State Council department in People's Republic of China,On June 3, 1997 and the establishment of Internet management services。China Internet Network Information Center established at the beginning,Director of Chinese Academy of Sciences;2014The end,Replaced by a centralized network security and information technology leading group office、National Internet Information Office director。


  1. Pilgrimage to drop off the original article translation,Because bloggers Caishuxueqian omissions inevitable,Readers are welcome to write or comment treatise;
  2. Original addressHere
  3. Further reference is made to the moonlight blogrelated articles

 

 

Original article written by Gerber drop-off:R0uter's Blog » Google announced that its full line of products no longer recognize the CNNIC root certificate (Bo translation)

Reproduced Please keep the source and description link:https://www.logcg.com/archives/871.html

By R0uter's Blog

The non-declaration,I have written articles are original,Reproduced, please indicate the link on this page and my name。

Leave a comment

Your email address will not be published. Required fields are marked *