Google and China’s internet authority are locked in a war of words over the search giant’s decision not to recognize the certificates of trust for Chinese websites.
Here’s the whole saga explained.
What has Google done?
In an official blog post Wednesday, Google said that its Chrome browser and other products will not recognize security certificates issued by the China Internet Network Information Center (CNNIC), China’s internet authority.
This means that when users attempt to visit a China website via Google Chrome that is certified by the CNNIC, they will be presented with a warning message about the website’s security. However, users can choose to ignore this and proceed to the site.
“To assist customers affected by this decision, for a limited time we will allow CNNIC’s existing certificates to continue to be marked as trusted in Chrome, through the use of a publicly disclosed whitelist,” Google said on its blog.
What’s a security certificate?
A security certificate is a digital document used to prove that a website’s domain name does in fact belong to that company that claims to own it.
Sometimes users can see a padlock in the corner of the web address bar. This means that communication with the website is secure and encrypted and has been certified by a so called certificate authority (CA).
The CNNIC is one such organization dealing with Chinese websites.
What is the issue?
Last week, Google accused MCS Holding, a CA contracted by the CNNIC, of issuing unauthorized security certificates for several Google domains.
This led to a security lapse where there was a possibility of a so-called man-in-the-middle attack. This is when a hacker intercepts communication between a website and the information being sent back to the server. If the digital certificate on a website is not authorised, it means the encryption is lax and leaves the user of the website open to having their details stolen.
There is no evidence that users of Google’s Chinese websites were affected.
Who was to blame?
MCS Holding maintains that the security lapse was a “human mistake.”
Google said that this was “congruent with the fact” but that CNNIC “still delegated their substantial authority to an organization that was not fit to hold it.”
War of words
The U.S. search giant was conciliatory towards CNNIC. “We applaud CNNIC on their proactive steps, and welcome them to reapply once suitable technical and procedural controls are in place,” Google said on its official blog.
The CNNIC however slammed Google’s move.
“The decision that Google has made is unacceptable and unintelligible to CNNIC,” the authority said in a statement on its website.
Once Google is happy that the CNNIC has improved its processes, they could reapply for the security certificates – thereby making those sites secure again.