In a major breach of public trust and confidence, the Chinese digital certificate authority China Internet Network Information Center (CNNIC) certified false credentials for numerous domains, including several owned by Google. The deliberate breach had the potential to seriously endanger vulnerable users, such as journalists communicating with sources. The breach was discovered by Google and published on its security blog on March 23. Despite this serious lapse, it appears CNNIC's authority will not be revoked, and that its credentials will continue to be trusted by almost all computers around the world.
This breach comes at a time when China's "great firewall" is suspected of being used to mount a distributed denial of service attack against popular software site GitHub. Github said that the attacks appear to be intended to persuade it to take down content objectionable to the Chinese regime--content China's firewall cannot filter because GitHub uses the secure HTTPS protocol.
CNNIC has a critical role in the global online security system known as public key infrastructure. Much activity online is protected by robust encryption. Whenever a journalist checks their email or communicates with a source, their privacy depends on this encryption. Fortunately for us all, these encryption systems are strong. They can only be directly broken with incredible computational power.
However, strong encryption relies on strong authentication. It doesn't matter how strong the encryption is if you think you're connecting to the CPJ website, but are actually being connected to a nefarious interloper. That's the role of certificate authorities such as CNNIC--they issue a cryptographic certificate that a domain can use to prove that it is who it claims to be. When you see a padlock icon in your browser's address bar, it's because you have an encrypted connection and the identity of the site has been certified by a certificate authority (CA).
There are a more than 600 CAs according to the SSL Observatory, a public project that accounts for certificates visible online. Any CA can issue a certificate for any domain, website, or email address. Once a credential is issued, almost all computers will trust it, regardless of whether the credential is genuine or erroneous. The security of online communications relies on every one of these CAs being trustworthy and competent. Even one rogue CA can issue false credentials to devastating effect.
False credentials allow for what is called a man-in-the-middle (MiM) attack. With a false credential in hand, an attacker can impersonate whoever the certificate was issued for--like a passport that shows your name but someone else's face. During a MiM attack, a journalist might think they are logging into their email when they're actually sending their password to someone who means them harm.
A MiM attack can also be used for censorship or misinformation. The secure HTTPS protocol for websites normally makes censorship an all-or-nothing affair. A censor can either block the entire site, or allow readers to see any page they want. Since HTTPS is encrypted, it's difficult for a censor to see which page a user is trying to reach and selectively block some pages. A MiM attack with a false credential from a CA gets around this restriction. A censor could choose only to censor those news articles it deems critical, or even selectively re-write articles. A reader might think they're reading a newspaper, but any of the articles could be subtly altered without the reader or the publisher noticing.
Because of the incredible trust placed in CAs, they are voluntarily regulated by an organization called the Certificate Authority / Browser Forum. The forum collectively maintains a set of baseline requirements, which describe how CAs must behave, as well as including technical requirements for cryptographic security and so on. One of these technical requirements is the use of a hardware security module to protect secret keys even if there are other security breaches. Although the forum is responsible for the baseline requirements, it has no ability to enforce them. Violations can only be policed by the software developers when deciding which CAs to trust in their tools.
Each CA also publishes its own documents called a certificate policy and/or certification practice statement (CP/CPS). In these, the CA describes what it will and won't do. CNNIC's CPS was controversial from the start. The practice statement noted that the CA "takes orders from the [Chinese] Ministry of Information Industry to conduct daily business." Commentators in the mozilla.dev.security.policy newsgroup --an open forum where proposals to add and trust new CAs are discussed--were worried that CNNIC would follow orders from the ministry, even if this required them to issue false credentials.
Last week, many of those fears were realized. In violation of its certification practice statement, CNNIC delegated its certificate-signing power to Egyptian IT company MCS Holdings, according to the certificate chain, which Google published. CNNIC helped Google with its investigation, the BBC reported. However, the trust placed in CNNIC to faithfully issue valid credentials was abused in breach of the rules underpinning global Internet security.
The certificate could have been used to falsify credentials for any online communication. According to Google's analysis of its Certificate Transparency logs, MCS used it to do just that, falsifying certificates for several domains, including Gmail and Google's homepage, according to Microsoft security advisory. MCS said in a statement issued March 25 that it used the certificate in a system designed to intercept Internet traffic "for testing purposes."
Google reported that MCS failed to use the required hardware security module. This breach could have allowed an attacker to gain access to MCS' certificate. With its certificate, attackers could have attempted to intercept any communication anywhere in the world, attacking anyone who relies on the security of the CA system.
Despite the severity of the misconduct, the breach appears well-contained. Based on Google's CT logs, MCS' interception had the potential to affect only a small group of users. Google was able to issue an update to its list of revoked certificates, protecting all Chrome users from MCS. Mozilla likewise announced on its security blog that MCS's authority will be revoked in the next Firefox release. In addition, sites that use HTTP public key pinning [HPKP]--a security extension for the HTTPS protocol--were not at risk. HPKP allows sites to notify browsers not to trust certificates issued by any CA apart from the ones named in the current certificate, "pinning" the site to the current CAs. Many Google sites use HPKP.
However, CNNIC was entrusted with the security of all online communications and it substantially breached this trust. Despite this, Google has made no indication that it intends to curtail CNNIC's authority. Several Mozilla mozilla.dev.security.policy newsgroup commentators have called on Mozilla to revoke CNNIC's authority. That discussion is ongoing.
CNNIC's close ties to the Chinese government and military have always raised suspicion in the tech community about its trustworthiness. China's "great firewall" prevents the free and open exchange of information. Chinese security services work hard to suppress internal debate and disagreement and CPJ finds journalists in the region have long been at risk. Control of a CA allows the Chinese government the capability to more easily harass and attack journalists anywhere in the world, and should not be allowed.
CNNIC's actions were a flagrant abuse of the trust placed in them, compromised the integrity of the CA system, and placed all Internet users in danger, especially journalists and those who otherwise face heightened risk. They should not be allowed to continue holding the authority granted them as a CA.
[UPDATE: Paragraphs 10, 11, and 13 have been corrected to reflect that MCS is an Egyptian IT company, to clarify the company's actions, and to add the company's response. Since this blog was posted Google announced plans to revoke the authority of root certificates belonging to CNNIC, and Mozilla said it will no longer trust certificates from the company.]