A Chinese Internet authority responsible for ensuring the security of the World Wide Web compromised that security, according to search giant Google.
Google announced on its security blog on March 23 that three days prior, they “became aware of unauthorized digital certificates for several Google domains.” The certificates were issued by the Egypt-based MCS Holdings.
MCS Holdings is in turn operated by the China Internet Network Information Center (CNNICC). Since 2010, CNNICC has been granted the authority by major Web browsers to issue certificates.
The structure of the Internet is based on the use of certificates. Each website has one, and Internet browsers rely on the certificate to verify that the website the user is looking at is what it says it is.
The importance of an Internet security certificate cannot be understated, according to James Gabberty, professor of information systems at Pace University in New York City.
“It underpins everything,” Gabberty said in a phone interview. “Certificate authorities are key to everything. Otherwise there is no trust on the Internet. A site that looks like a valid site could be spoofed and you would never even know it.”
If certificate authorities violate user trust, like CNNIC allegedly has, he added, “the entire Web e-commerce structure as we know it breaks down, because it means you can’t trust anyone. Protecting those certificates is the number one priority.”
Mozilla, which runs the popular Firefox Web browser, also wrote about the security breach on its security blog. It stated the corrupt certificate from CNNIC was being used to perform man-in-the-middle attacks, which is exactly the type of attack that Gabberty warned about.
In a man-in-the-middle attack, a user opens a website that seems safe, but that website is then used to rob data from the user.
CNNIC was being used, according to Mozilla, “to generate certificates for domains the device owner does not legitimately own or control.” In other words, it was being used to spoof websites that did not belong to it. It’s still unclear which websites it was used against.
The incident demonstrated a long-standing concern about CNNIC held by several security experts. The Chinese company is able to issue security certificates, and in the latest incident, as Google stated, “the mis-issued certificates would be trusted by almost all browsers and operating systems.”
Google alerted CNNIC and other major browsers, and blocked the offending MCS Holdings certificate.
Google said CNNIC contacted it on May 22 and claimed it contacted MCS Holdings, which in turn said it had kept private keys in a man-in-the-middle proxy that can “intercept secure connections by masquerading as the intended destination and are sometimes used by companies to intercept their employees’ secure traffic for monitoring or legal reasons.”
“The employees’ computers normally have to be configured to trust a proxy for it to be able to do this,” Google stated. “However, in this case, the presumed proxy was given the full authority of a public CA [Certificate Authority], which is a serious breach of the CA system.”
Google notes that despite CNNIC pinning the blame on MCS Holdings, “CNNIC still delegated its substantial authority to an organization that was not fit to hold it.”
In other words, CNNIC is responsible for the hacking done by MCS Holdings, despite CNNIC’s blaming its subsidiary. MCS Holdings was using a banned system that allowed it to intercept otherwise secure traffic from users.
Google said there is currently no evidence the certificates were abused, and is not advising users to change their passwords at this time.
It added, however, “At this time we are considering what further actions are appropriate.”
A Track Record
Internet freedom organization GreatFire.org has for years warned of security risks presented by CNNIC, and its approved presence in software from Google, Microsoft, Apple, and Mozilla.
GreatFire wrote on its website that since 2013 it has called on major software companies to revoke CNNIC-issued certificates. “Most notably,” they write, “we raised this issue when we reported on the Cyberspace Administration of China’s (CAC) man-in-the-middle (MITM) attacks on Google, Microsoft’s Outlook, Apple, Yahoo and Github.”
Greatfire stated the latest case as “definitive evidence that CNNIC was behind a new MITM attack on Google.”
“CNNIC is either complicit in the recent MITM attacks or has intentionally allowed these attacks to happen,” it stated. “We have been witness to the Chinese authorities using MITM attacks against Apple’s iCloud, Google, Microsoft’s Outlook, and Yahoo in this month alone.”
Back in 2014, GreatFire warned “CNNIC has implemented (and tried to mask) Internet censorship, produced malware and has very bad security practices.” it noted that in China, many tech-savvy users have similarly warned about CNNIC.
One of the key loopholes in the CNNIC structure is the fact that the chair of the company is also the senior Chinese Communist Party official in charge of Internet censorship, Lu Wei.
Lu is the director of the general office of the Central Leading Group for Internet Security and Information, which runs the Internet in China, and is the deputy head of the Central Propaganda Department.
GreatFire alleged in a press release that Lu Wei, and his Cyberspace Administration of China (CAC), are “complicit in attacks on foreign Internet properties in the past.”
“Now we have concrete evidence, which shows that CAC and CNNIC are behind these malicious actions and are endangering safety and security on the Internet for everyone,” it states.