Major Web browsers including Firefox, Internet Explorer, Safari, and Chrome granted a trust certificate to the China Internet Network Information Center (CNNIC) in 2010. CNNIC is similar to ICANN—the Internet Corporation for Assigned Names and Numbers—in the United States. CNNIC and ICANN are major certificate authorities, meaning they are allowed by Web browsers to determine the validity of websites—to confirm, for example, that Gmail.com is really Gmail.com. The little padlock in the browser window means that a website has been signed by a certificate authority. CNNIC also runs China’s domain name registry, where websites are registered.
The problem is that CNNIC is now directly and explicitly controlled by the Chinese regime. The day after Christmas last year, the Cyberspace Administration of China appointed the new chair of the CNNIC: it was none other than Lu Wei, a communist apparatchik who wears many hats.
Lu Wei is the director of the general office of the Central Leading Group for Internet Security and Informatization—that is, the Communist Party organ that effectively runs the Internet in China. He is also deputy head of the Central Propaganda Department.
So now the man in charge of the Chinese agency that blocks Facebook, Twitter, and Google is also in charge of the organization that verifies whether websites are legitimate, given that CNNIC has been accepted as a root certificate authority by major Web browsers, including Firefox and Chrome.
“CNNIC can ‘ensure the identity of a remote computer,'” said Percy Alpha (a pseudonym), co-founder of GreatFire.org in an email. GreatFire tracks Chinese online censorship and Internet control. Alpha continued, “If … state-sponsored hackers use CNNIC for a man-in-the-middle attack, your computer or iPhone will trust a snooped connection hijacked by hackers.”
As a Web user, you would see the little padlock in your Internet browser, just as usual when checking email. But “all your communications can be recorded, analyzed, and manipulated by [the Great Firewall] or hackers,” Alpha said, referring to the Chinese regime’s system for censoring the Internet, the Golden Shield Project, often referred to as the Great Firewall.
There are suspicions that CNNIC has already used its certificate authority to verify infected websites, according to researchers. But security researchers are concerned with what they see as the untrustworthy background of the organization, and the track record of the Chinese regime in Internet control.
The Chinese regime has a track record of such attacks. Technology website TechDirt reported on Nov. 7 that in September the regime was suspected of “using man-in-the-middle attacks to spy on citizens who carry out Google searches over encrypted connections.” It noted that such an attack had to use a computer’s trust certificate authority, “in this case the China Internet Network Information Center.”
CNNIC, meanwhile, was the producer of one of the world’s top malware, called “Chinese-Language-Surfing Official Edition,” which comes bundled with a multitude of shareware software packages for Windows machines in China.
According to GreatFire.org, Panda Security also noted CNNIC has “exploited vulnerabilities and used other malware to distribute the software” and through this “captures all information entered or saved by the user, which leads to significant privacy issues.”
GreatFire.org said that CNNIC has “been complicit in or have allowed the man-in-the-middle attacks against Apple, Google, Yahoo and Microsoft in October of this year.” It also notes that the change in command at CNNIC also coincided with the Chinese regime blocking Gmail in China.
An attack facilitated by CNNIC certificates would likely be highly targeted, and need to be launched in conjunction with other network intrusions.
Such an attack could lead to “usernames, passwords, text messages, emails, photos, contacts and even financial information … acquired by the Chinese authorities,” wrote Percy Alpha of GreatFire.org.
CNNIC used to be under the command of the Chinese Academy of Sciences, an official think tank, and defenders of its trusted certificates said that this affiliation made malicious attacks less likely. It was thought that since CNNIC was ostensibly at an arm’s length from Chinese authorities, it was more-or-less harmless. Now, that has changed.
Edward Felten, a cybersecurity researcher, for example, wrote on Princeton’s Freedom to Tinker blog in February 2010: “Let’s suppose, just for the sake of argument, that CNNIC were a puppet of the Chinese government. … Then CNNIC’s status as a trusted CA would give it the technical power to let the Chinese government spy on its citizens’ ‘secure’ Web connections.”
In the scenario provided by Felten, when a Chinese citizen visited Gmail.com, the connection would be diverted to a fake Gmail site run by Chinese regime, but it would look real because of the CNNIC certificate. “The Chinese citizen would be fooled by the fake Gmail site (having no reason to suspect anything was wrong) and would happily enter his Gmail password into the impostor site, giving the Chinese government free run of the citizen’s email archive.”
Under the recent changes, that scenario is now a real possibility.