China and Google Clash Over Digital Certificates

A Chinese Internet administrator blasted Google on Thursday, after the U.S.-based tech giant decided to stop recognizing digital certificates issued by the group, following a lapse in security.

"The decision that Google has made is unacceptable and unintelligible," China's Internet Network Information Center (CNNIC) said in an online posting.

So what does this mean for Internet users in China? Google's decision means that its Chrome browser could end up clashing with sites serviced by the Chinese Internet agency. Google explained the move in an earlier blog post on Wednesday. The company is still concerned by the way the CNNIC issued a certificate to a company based in Egypt that misused it in a botched security test.

Both Google and the CNNIC conducted a joint investigation, but despite efforts to work together, the company ultimately decided to drop the Chinese Internet agency as a recognized root certificate authority. However, Google indicated that this is only a temporary measure and the Chrome browser will continue at least for a limited time trusting the existing CNNIC issued certificates.

"We applaud CNNIC on their proactive steps, and welcome them to reapply once suitable technical and procedural controls are in place," Google says.

If a standoff continues, Google's decision could severely hamper the Chinese Internet agency's reach. When encountering a new CNNIC issued certificate, the Chrome browser will issue a warning, telling users of the potential risks when accessing these sites.

The proper use of digital certificates is paramount. If they are abused, they could be used to conduct hacking attacks against unsuspecting users. The CNNIC administers China's Internet infrastructure and runs the .cn domain name, but it is also linked to the Chinese government, which has been accused of launching cyberattacks against U.S. companies and activist groups.

On Thursday, CNNIC said that existing customers with certificates would not be affected by the decision made by Google. However, the agency could face problems acquiring certificates for new customers. F-Secure security advisor Su Gim Goh said that by dropping the CNNIC, Google is indirectly driving more business to competitors.

"You will most likely want to purchase from someone else, so that your business won't be affected," Goh says. "It's definitely an interesting move, let's see what the other browsers do."

So far Microsoft and Mozilla did not immediately respond to the move by Google. Although last month Mozilla took action and revoked the CNNIC issued certificate misused by MCS Holdings. If other browsers do follow Google's footsteps, the CNNIC could face more problems moving ahead.

Join the Discussion

Recommended Stories

Real Time Analytics