Last night, Google picked a big fight with China's biggest web registrar. In a post on the company's security blog, Google announced it would no longer be registering new HTTPS certificates from the China Internet Network Information Center (or CNNIC), effectively cutting the registrar out of the SSL system that secures the web. HTTPS certificates are used to ensure that web content cannot be intercepted in transit, typically expressed as a padlock symbol next to the browser address bar, and CNNIC handles that process for the whole Chinese web, so it's a move that could have real consequences for Google and China going forward.
"The decision that Google has made is unacceptable and unintelligible."
According to Google, the move is a direct result of bad behavior on CNNIC's part. In March, one of CNNIC's certificates was used by an Egyptian web company to perform a man-in-the-middle attack, and after an investigation, Google concluded CNNIC wasn't being careful enough in how its certificates were used. CNNIC has protested the decision, and is promising that users would be unaffected. "The decision that Google has made is unacceptable and unintelligible to CNNIC," the center said in a statement, "and meanwhile CNNIC sincerely urge that Google would take users’ rights and interests into full consideration."
The move isn't as bad news for China as it sounds. CNNIC's old certificates will still work, and while it won't be able to issue new ones right away, the center is already working through Google's Certificate Transparency process to recertify itself. The Chinese government has actively discouraged the use of HTTPS by many Chinese web companies as a way to reinforce the Great Firewall, and as a result, CNNIC's share of the certificate market is quite small, representing less than .1 percent of the certificates used on the web. The move comes at a particularly fraught time for the Chinese web, on the heels of a string of DDoS attacks against Github and GreatFire.org's mirror sites, believed to have been directed by the Great Firewall.
It's unusual that a single company would make such a move unilaterally, and underscores Google's increasingly central place in maintaining the security of SSL for the web at large. Chrome is so widely used that changing its settings is enough to force most certificate authorities to adopt better practices, completely independent of the larger web of trust. A similar dynamic was at work this February as companies scrambled to delist bad certificates established by Lenovo's Superfish adware. In the end, most of the bad certificates were caught by Microsoft's Windows Defender, simply because of the broad reach of the program.