With so many web platforms rolled out today, web certificate transparency has become compromised over time. Initially, the certificate transparency project is intended to help eliminate security attacks, server impersonation and man-in-the-middle attacks.
Transparent Web certification is achieved by providing open framework for monitoring and auditing SSL certificates in nearly real time. This way giving users the impression that the website they’re visiting is authentic and their connection is secure. This has however not been the case with Google products and services following an interminable feud between the firm and CNNIC an administrative agency responsible for internet affairs and also manages both the “.cn” country code top level domain in China.
Google has accused China Internet Network Information Center (CNNIC) of endangering the search firm’s users with accounts in any of its products in this case the most affected being Google mail and applications operated by the company. This is however not the first time the company is airing complaints of the same by the Chinese Internet regulator. In 2011, Google accused the Chinese government of hacking Gmail service in an attempt to quell a social uprising in the country.
The attacks happened in an attempt of the government to suppress a social uprising in the country, smartly done in a way it looked like the blockage was from Gmail’s end. Recently, CNNIC through MCS holdings, a firm contracted by the Chinese company to provide certificates, issued several unauthorized certificates to domains of its own which posed vulnerability to man-in-the-middle attacks for its users.
Even after MCS holdings admitted to being involved in what they termed as ‘human error”, Google expressed disappointment to the Internet regulator saying CNNIC had delegated their substantial authority to an organization that was not fit to hold it.
The mis-issued certificates to the domains are likely to affect users using all browsers and operating systems since MCS installed the domains in man-in-the-middle proxy which would mean faults like hijacked information since these devices interrupt secure connections by posing as intended destinations.
After investigation by both Google and CNNIC, the Internet regulator’s root will no longer be recognized as Google’s product which has been said to take effect in the near future. For the meantime, CNNIC’s existing certificates will continue to be marked as trusted in Chrome through the use of a disclosed whitelist.
The recent software hitch has however been linked to Google’s neglect to renew a security certificate for Gmail and its app services which would compromise secure connection to a destination in respond to the claim, Google said a security lapse by the CNNIC meant the certificates could no longer be trusted.
In the same breath, Google has assured chrome users of their safety and there would be no need to change passwords since there is no indication of abuse to the user. The firm has accused CNNIC for neglecting suitable technical and procedural controls which is why the firm has promised appropriate action to control the situation.
As expected, CNNIC is not in agreement with the decision made by the company saying the move is unacceptable and unintelligible asking Google to take users’ rights and interests into full consideration. The search engine firm has however welcomed CNNIC to reapply for trusted status once procedural controls are in place.