• by Laurie Sullivan , Staff Writer @lauriesullivan, April 2, 2015

Following Google's recent discovery of unauthorized digital certificates for several of its domains, the company announced that its Chrome browser will stop trusting all digital certificates issued by the China Internet Network Information Center (CNNIC), China's main digital certificate authority. The Web sites appear with the .cn domain name. Mozilla agreed with the move and also will stop accepting certificates by the CNNIC.

On March 20, Google found the certificates were issued by Egypt-based MCS Holdings, a certificate authority that CNNIC allowed to operate and made public a couple of days later. On April 1, the company provided an update, suggesting that Google will leave it open for the CNNIC to reapply once it puts technology controls in place.  

The CNNIC oversees China's Internet infrastructure. Adam Langley, Google security engineer, in a post explains that as a result of an investigation of events surrounding the incident by Google and CNNIC, the company decided to no longer recognize the CNNIC Root and EV CAs in Google products. "This will take effect in a future Chrome update," he wrote. "To assist customers affected by this decision, for a limited time we will allow CNNIC's existing certificates to continue to be marked as trusted in Chrome, through the use of a publicly disclosed whitelist."

Google said the MCS used the certificates to install a man-in-the-middle proxy. The devices intercept secure connections by acting like the intended destination and are sometimes used by companies to intercept their employees' secure traffic for monitoring or legal reasons. Google called the incident a "serious breach."

Similar to Google Chrome, Mozilla Firefox will soon stop accepting certificates from most Web sites with the .cn domain. The ban means that Chrome and Firefox users will receive a pop-up alerting them to possible security risks.