Stanford CIS

China's CNNIC issues false certificates in serious breach of crypto trust

By Tom Lowenthal on

In a major breach of public trust and confidence, the Chinese digital certificate authority China Internet Network Information Center (CNNIC) certified false credentials for numerous domains, including several owned by Google. The deliberate breach had the potential to seriously endanger vulnerable users, such as journalists communicating with sources. The breach was discovered by Google and published on its security blog on March 23. Despite this serious lapse, it appears CNNIC's authority will not be revoked, and that its credentials will continue to be trusted by almost all computers around the world.

This breach comes at a time when China's "great firewall" is suspected of being used to mount a distributed denial of service attack against popular software site GitHub. Github said that the attacks appear to be intended to persuade it to take down content objectionable to the Chinese regime--content China's firewall cannot filter because GitHub uses the secure HTTPS protocol.

CNNIC has a critical role in the global online security system known as public key infrastructure. Much activity online is protected by robust encryption. Whenever a journalist checks their email or communicates with a source, their privacy depends on this encryption. Fortunately for us all, these encryption systems are strong. They can only be directly broken with incredible computational power.

Read the full piece at the Committee to Protect Journalists website.