Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Private I: Apple's Chinese market share may affect security judgment

Glenn Fleishman | May 4, 2015
Apple's latest earnings show a huge uptick in revenue from China, now the company's second biggest market after the US. But China demands a lot from companies that do business within its borders.

These four firms make three of the most-used commercial or certified operating systems, and the four most-used web browsers, as well as the most commonly used email software. (Opera Software is the fifth Beatle of this group, and has its strong adherents on the desktop and in mobile use.)

Google sounded the alarm March 23 about what turned out to be the egregiously bad idea of Chinese domain registrar and CA, CNNIC, to pass on authority for its root certificate--the secret encryption material used to countersign any certificate it issues--to a reseller for an ostensibly benign or limited purpose.

The reason this was a problem is that with that information, a party can create forged certificates for any domain in the world that a browser, email client, or other software would accept as perfectly valid. That's a problem--it breaks trust the world over, and imperils both privacy and safety: people saying things privately in opposition to the government whose words can suddenly be decrypted without their knowledge can be put in danger of their freedom and their lives. (Using an illegitimate but valid certificate still requires a man-in-the-middle attack, which is trivial for a government.)

Within days, Mozilla and Google had investigated, removed the reseller's intermediate authority, and kicked CNNIC out of the root list of CAs for all their products: Android (OS), Chrome, Chrome OS, Firefox, Firefox OS, and Thunderbird, to name the marquee items. Mozilla said it would keep older certificates valid given provisos that don't seem to have been met; Google said all CNNIC-signed certificates would become invalid.) Both organizations say they'd consider adding CNNIC back in, probably with additional safeguards in place. Mozilla discusses these issues publicly among its community.

Microsoft removed just the intermediate certificate and issued a tepid security note. Apple has said...nothing. CNNIC's root certificate remains in Apple's trusted set in OS X (which can be viewed in Keychain Access), and the company hasn't spoken publicly. (A query I made weeks ago received no response to date.)

Microsoft doesn't break out its Chinese or Asian says, and it's estimated to be just a few percentage points of its total revenue. But it has strived for years to increase sales there, and the future of Microsoft in versatile devices and cloud services means it has to bump sales in China.

Apple grossed nearly $17 billion in revenue from China, Hong Kong, and Taiwan in its quarterly earnings announced earlier this week. Google has taken its stance for whatever combination of commercial and political reasons. Mozilla is a nonprofit foundation that stresses transparency in its decision making.

What lies beneath
Earlier this year, the New York Timesreported on new rules in China:


Previous Page  1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.