Google drops support for Chinese internet security certificates after trust breach

Search giant Google will no longer recognise security certificates issued by the official China Internet Network Information Centre (CNNIC) following what experts called a "major breach of public trust and confidence".

Last month, CNNIC issued security certificates for a number of domains, including Google's, without their permission. Security certificates are akin to a website or online service's fingerprint, and tell a browser whether it can be trusted. By issuing unapproved certificates, CNNIC risked compromising the encryption protocols used to protect users of email services and other secure websites.

"CNNIC is included in all major root stores and so the misissued certificates would be trusted by almost all browsers and operating systems," Google said in a statement.

Chinese officials told Google they had contracted Cairo-based MCS Holdings to issue the certificates. MCS said it would only issue certificates for domains it had registered.

"However, rather than keep the private key in a suitable [hardware security module], MCS installed it in a man-in-the-middle proxy. These devices intercept secure connections by masquerading as the intended destination and are sometimes used by companies to intercept their employees' secure traffic for monitoring or legal reasons," Google said.