In a post on the company’s official security blog, Google announced it will no longer accept the registrations of new HTTPS certificates from China’s official web registrar, the China Internet Network Information Center (CNNIC).
Since CNNIC deals with HTTPS certificates for the entire Chinese web, Google has effectively prevented any further Chinese websites from entering the SSL system. This is a move that could have significant consequences.
Google defends its decision by claiming the CNNIC isn’t being careful enough with granting HTTPS certificates. Just recently one CNNIC’s certificates was recently used to carry out a cyber attack Egyptian web company to perform a man-in-the-middle attack.
“As a result of a joint investigation of the events surrounding this incident by Google and CNNIC, we have decided that the CNNIC Root and EV CAs will no longer be recognized in Google products. This will take effect in a future Chrome update.”
Predictably, the CNNIC is upset with this decision, and voices its concerns in a statement on its website:
“The decision that Google has made is unacceptable and unintelligible to CNNIC… and meanwhile CNNIC sincerely urge that Google would take users’ rights and interests into full consideration.”
Going forward, CNNIC’s existing HTTPS certificates will still be valid, but new ones will not be issued for the foreseeable future.
The CNNIC is currently working to re-certify itself through Google’s Certificate Transparency process, at which point Google may again allow the Center to issue HTTPS certificates.