Because of the use of a man-in-the-middle proxy by a third party, security certificates issued by the China Internet Network Information Center (CNNIC) are being rejected by Chrome and other Google products.

Google discovered that CNNIC contracted MCS Holdings to issue security certificates. The Cairo-based firm was found to be using a man-in-the-middle proxy to issue them, rather than storing the security keys in a hardware security module.

The use of the proxy leaves information vulnerable to interception, so Google raised the issue with CNNIC as well as other organizations that maintain web browsers.

In a March 23 blog post, Google stated CNNIC still "delegated their substantial authority to an organization that was not fit to hold it."

On April 1, Google announced that its products will reject certificates issued by CNNIC. The move to reject certificates from CNNIC and MCS Holdings will cause Chrome and other Google products to recognize connections to sites that use the keys as being unsecured.

Every business registered with CNNIC, usually denoted with the .CN domain, will be affected by the change. Users attempting to visit such sites will receive a warning that their connections aren't secure.

The changes will be rolled out in future updates of Google products. In the meantime, Google has created a whitelist for some CNNIC certificates.

Google doesn't believe any more security certificates have been issued via the proxy. However, it is working with CNNIC to make sure that the digital keys aren't issued via a man-in-the-middle proxy again.

"CNNIC will implement Certificate Transparency for all of their certificates prior to any request for reinclusion," added Google.

"We applaud CNNIC on their proactive steps, and welcome them to reapply once suitable technical and procedural controls are in place."

While Google is satisfied with the progress that has been made, CNNIC has met the entire process with disgust.

"The decision that Google has made is unacceptable and unintelligible to CNNIC, and meanwhile CNNIC [is] sincerely [urging] that Google [take] users' rights and interests into full consideration," stated CNNIC on its website. "For the users that CNNIC has already issued the certificates to, we guarantee that your lawful rights and interests will not be affected."

ⓒ 2021 All rights reserved. Do not reproduce without permission.