The impact of Google's decision to remove the root certificates issued by a Chinese certificate authority could hamper millions of Chrome users, particularly those in China.
That move, which Google will make in a future Chrome update, will put warnings in front of the browser's users, telling them that sites using the root and EV (Extended Validation) certificates issued by CNNIC (China Internet Network Information Center) are not to be trusted. Rather than pull the plug immediately, however, Chrome will continue to trust existing CNNIC-issued certificates "for a limited time."
Mozilla will also sanction CNNIC, but will not remove the root certificates.
Both browser makers reacted to the discovery last month by Google that CNNIC — a nonprofit administered by an agency of the Chinese government — issued an intermediate certificate to an Egyptian company, MCS Holdings. The latter then used its CNNIC-provided certificate to generate unauthorized digital certificates for several Google domains.
Although MCS Holdings claimed that its actions were the result of "human error" and Google confirmed it had seen no signs of abuse — interception of encrypted traffic or a phishing attack, for example — the two browser makers lowered the boom, citing violations of their respective policies regarding certificates.
It's unclear how many domains use certificates issued by CNNIC, or the number of those encrypted by intermediary certificates that rely on the CNNIC root. Mozilla pegged the number of the former at just over 700, with 68% using the .cn Top Level Domain (TLD).
But Chrome has a major share of China's browsing market.
According to Chinese search engine Baidu, Chrome accounted for 33% of the browsers tracked by the firm's analytics platform, second only to Microsoft Internet Explorer's 41.5%. Another Web metrics vendor, U.K.-based StatCounter, pegged Chrome's usage share at 54.8% for March, handily beating second-place IE's 22.9%.
Chrome's China share was immense compared to Mozilla's Firefox, which was dumped in the "Other" bucket by Baidu and registered at just 4.6% in StatCounter's measurement for March.
After Google removes the CNNIC root certificate from Chrome, users who try to reach an encrypted site secured with a CNNIC-issued certificate will see a warning that the domain is unsafe. Some may disregard the alert and click through — a bad habit to pick up — others may assume that they're reached a malicious website.
The result: Confusion all around.
Not surprisingly, CNNIC didn't care for Google's punishment. "The decision that Google has made is unacceptable and unintelligible," the organization said in a Thursday statement.
CNNIC may be a small player in the certificate authority (CA) space — it's not among the seven largest that comprise the CA Security Council, for instance, which includes Comodo, Entrust, GoDaddy and Symantec — but it is a powerhouse within China. One of its primary duties is to administer the massive .ca TLD.
Sign up for CIO Asia eNewsletters.