Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Google's cert sanction may hamper browsing, trigger China retaliation

Gregg Keizer | April 6, 2015
The impact of Google's decision to remove the root certificates issued by a Chinese certificate authority could hamper millions of Chrome users, particularly those in China.

The Chinese government may retaliate if CNNIC cannot satisfy Google and the two end up at loggerheads, contended one expert.

"They could ban Chrome from government computers," said Adam Segal, a senior fellow at the Council on Foreign Relations and the director of the organization's digital and cyberspace policy program. "It would be much more difficult to do that on [consumer and business computers], but they could block access to downloading Chrome in the future."

China has gotten into a habit of striking back at U.S. and Western European companies that irk the government, Segal noted, especially when officials can point people to a home-grown substitute. There are no realistic replacements for U.S.-made browsers, though: The leading domestic browser, Sogou, accounted for less than 5% in March, Baidu's stats showed. So the response may not be aimed at Chrome, for fear of further disrupting the country.

"I suspect that if they wanted to go after Google, they may not go directly after Chrome," Segal said. "They have lots of other tools. They could hold up licenses for Android [smartphones], for example."

It may not come to that, as both Google and Mozilla have said that CNNIC may reapply for trusted status after changing its practices.

There's nothing wrong with those demands, said John Pescatore, director of emerging security trends at the SANS Institute. "Browser makers have the right to say 'If you screw up, you need to go through this again,'" Pescatore argued. "I think it's a good thing that CAs do that."

But Pescatore cautioned that browser makers must be fair, not assign what he called a "one-strike" rule against CNNIC while giving others, say a U.S.-based CA like Symantec's VeriSign, three strikes before dropping the same hammer.

"From the point of view of North America and Western Europe, we have very good reasons for suspecting Chinese organizations, because they're often extensions of the government, who we know spies on its citizens," said Pescatore. "But outside the U.S. and Europe, many people say the same things about Google, Microsoft and Apple, that after the Snowden disclosures, they're extensions of the U.S. government, or have been compromised by the government."

While Pescatore declined to speculate on specific actions China's government might take, he likened any potential payback as analogous to a trade war, where a move by one side generates an eye-for-an-eye response.

"If the U.S. says it's going to test beef coming from China, then China will say it will test the beef that comes from the U.S.," Pescatore said. "And like in a trade war, [retaliation] could create blowback completely unrelated to browsers, perhaps problems for some other U.S. company that's negotiating in China."

 

Previous Page  1  2 

Sign up for CIO Asia eNewsletters.