Google Punishes China's Internet Agency for Leaving Users Vulnerable to Hacks

Google just said "enough" to a big Chinese government internet regulator, punishing it for potentially putting thousands of online users at risk of getting hacked.

The search giant announ​ced on Wednesday evening that its browser Chrome would stop trusting digital certificates issued by the China Internet Network Information Center (CNNIC), the government regulatory agency that oversees the internet in China.

Security certificates are used to verify the identity of a site that uses HTTPS web encryption (basically any site that has a green lock in the address bar before the URL), and ensure that the connection is secure. This, in theory, protects users from hackers setting up fake websites to infect victims with so-called Man in the Middle (MITM) attacks.

But in late March, Google dete​cted the use of unauthorized certificates for its own domains issued by an Egyptian firm that's an intermediate for the CNNIC. This sketchy certificates left the door open to cyberattacks exploiting Google sites, which activists said​ China was using to censor content and monitor dissidents with MITM attacks on tech giants such as ​Yahoo and ​Apple.

What that means is that from now on, users visiting websites that use CNNIC certificates might get a warn​ing that the site's security certificate is not trusted.

The CNNIC isn't very happy about Google's decision, which it called "unacceptable and unintelligible."

"CNNIC sincerely urge that Google would take users' rights and interests into full consideration," the agency said in a statem​ent.

The anti-censorship group GreatFire, which has recently been targeted with two large distributed denial of service attacks, likely launched by China, is applauding Google's decision.

"We have been calling for this action for more than a year," Charlie Smith, one of the pseudonymous members of GreatFire, told Motherboard. "The Chinese authorities are taking dangerous, aggressive and damaging efforts in an attempt to censor information globally. We are happy that Google has publicly recognized this."

It's important to note that this won't make thousands of Chinese websites untrusted overnight. Google said that existing valid certificates will be included in a whitelist and still be trusted. It's only new certificates that will be blacklisted and prompt a warning to the user that the site may be insecure. This should prevent trustworthy sites from generating warnings, but trigger warnings for sketchy new sites.

In fact, when asked how many websites this will affect, Google's security engineer Adam Langley said "hopefully none."

— Adam Langley (@agl__)April 2, 2015

In other words, like security researcher Martijn Grooten explained in a blog ​post, Google is simply "suspending" CNNIC, in the hopes that the agency gets its act together and can be later reinstated once "suitable technical and procedural controls are in place," as Google put it.

But if CNNIC doesn't comply with Google's demands, however, two things could happen, according to Grooten.

Either websites drop CNNIC and start using a different certificate authority, or, Grooten said, "Chinese users will get so many [certificate] warnings they'll have to switch browsers to something that does still include the CNNIC root [certificate]."

This "will lead to further balkanisation of the internet," Grooten told Motherboard in an email. "Which IMHO is a very bad thing."