Google embroiled in web security dispute with China over trust breach

Google has become embroiled in a dispute over web security after a Chinese internet regulator labelled as “unacceptable and unintelligible” a decision by the US company to stop trusting its authority to certify that websites are safe.

In practice, Google’s rejection means it will henceforth warn users against accessing some websites in China’s .cn domain, due to uncertain security.

Google said on its security blog last week that the China Internet Network Information Center (CNNIC) had allowed a subcontractor to issue unauthorised digital certificates, which are used by internet browsers to verify that a website is legitimate.

“Basically these certificates ensure that everything on the internet is what it says it is,” said an executive at an IT company. They are intended to protect against scams such as “phishing”, in which users can be tricked into confiding info to fake websites, or “man in the middle” cyber attacks in which hackers can intercept login details by rerouting traffic through an insecure connection.

MCS, an Egypt-based company subcontracted by CNNIC to issue the certificates — a common practice — committed a “serious breach of the certificate authority system”, Google said in a blog post on March 23. However, it added that it did not believe the unauthorised certificates were a deliberate attempt to hack.

“We have no indication of abuse and we are not suggesting that people change passwords or take other action,” said Google.

On Wednesday following discussions with CNNIC, Google said it would withdraw trust in newly issued certificates but would continue to recognise existing ones provided to Google by CNNIC on a “whitelist”, which it would post on the internet.

“We applaud CNNIC on their proactive steps and welcome them to reapply once suitable technical and procedural controls are in place,” Google said.

Given the generally amicable tone of the resolution, Thursday’s combative CNNIC response suggests that higher politics have become involved. Also on Thursday, Google’s blog post explaining the problem was blocked in China.

CNNIC said: “For the users that CNNIC has already issued the certificates to, we guarantee that your lawful rights and interests will not be affected”, adding that “the decision that Google has made is unacceptable and unintelligible”.

The dispute comes at a particularly sensitive time for CNNIC, following a cyber attack last week on code-sharing website Github — a San Francisco-based online forum for software developers that also hosts tools employed by Chinese internet users to bypass censorship.

The attack appeared to have originated in China, and focused attention on the security architecture of China’s internet infrastructure.

The Big Read

Chinese internet: Commerce and control

Beijing wants to harness the economic potential of online services while still censoring content

Full story

Some advocates of web freedom in China have long urged major software vendors to revoke CNNIC-issued certificates.

“We’ve been calling for this action for more than a year,” said Charlie Smith of Greatfire.org, which monitors Chinese internet censorship. “The Chinese authorities have maliciously been using their power as a certificate authority to launch dangerous attacks that compromise sensitive user information across many foreign media platforms,” he said.

However, Adam Fisk of Getlantern.org, which provides tools to circumvent China’s internet blocks, dismissed any link to Github.

The attack on Github “probably made Google’s security team more prone to make this move,” said Mr Fisk, “but just the fact that there were bogus intermediary certificates issues at all with CNNIC should be enough to warrant what Google did.”

China has had a fractious relationship with Google since the US search engine pulled out of mainland China in 2010 amid fears over privacy. Last year most Google services were blocked in China.