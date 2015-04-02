(Adds quotes, details on Chrome, background)
By Paul Carsten
BEIJING, April 2 A Chinese Internet regulator on
Thursday slammed as "unacceptable" a decision by Google Inc
to no longer recognise its certificates of trust, a
move which could deter Chrome browser users accessing sites
approved by the authority.
Google said on its official security blog on Wednesday that
it would no longer recognise the China Internet Network
Information Center (CNNIC) certificate authorities, following a
joint investigation between the company and CNNIC into a
potential security lapse last month.
That means that users of Google's Chrome, the world's top
Internet browser, may get a warning when attempting to visit
sites certified by CNNIC. It was not immediately clear how many
websites CNNIC has certified and could yield warning messages.
CNNIC, which plays a central role in administering China's
Internet by allocating and certifying IP addresses and web
domain names, urged Google to consider user rights and
interests.
"The decision that Google has made is unacceptable and
unintelligible," the agency said in a statement on its website.
Last week CNNIC's certificates, which are used to ensure
that the connection between an Internet user and a website is
secure, came under scrutiny after an official Google blog post
said the Chinese agency had allowed Cairo-based MCS Holdings to
issue unauthorised certificates for various Google domains.
That rendered connections between users and those websites
vulnerable to 'man-in-the-middle' hacking attacks, Google said.
These attacks can intercept and alter communications.
Microsoft Corp and Mozilla, which together with
Google develop three of the world's most-used web browsers, also
removed trust of those unauthorised certificates last week,
following Google's post.
"While neither we nor CNNIC believe any further unauthorised
digital certificates have been issued, nor do we believe the
misissued certificates were used outside the limited scope of
MCS Holdings' test network, CNNIC will be working to prevent any
future incidents," Google said on Wednesday.
The U.S. search giant added that CNNIC was welcome to
reapply for recognition "once suitable technical and procedural
controls are in place," and CNNIC's existing certificates would
be trusted for a limited time through a whitelist.
MCS Holdings said in a statement on its website last week
that the security lapse was the result of human error following
testing of certificates issued to it by CNNIC, which was meant
to take place in a controlled environment.
The Cyberspace Administration of China, the country's
Internet regulator, did not immediately respond to a request for
comment.
Google shut down its local search engine in China in 2010
over censorship concerns, and most of its services are now
inaccessible in China.
(Editing by Jason Subler and Stephen Coates)