Google no longer recognizes security certificates issued by CNNIC, China's domain name registry. The news comes after unauthorized certificates were issued for Google domains, and at the time Google said that CNNIC contractor MCS Holdings had issued the certificates.
What was worrying was the fact that MCS Holdings installed private security keys in a man-in-the-middle proxy rather than keeping them secure. MCS said that human error was to blame, but Google is taking no chances. The search giant is, for now at least, no longer recognizing certificates from the agency.
CNNIC is responsible for the security certificates issued for .cn domains, so if you visit any of these at the moment, you will see a warning message -- although there's nothing to stop you from continuing to access the site if you wish. However, it is worth noting that what should ordinarily be considered a secure connection, may in fact not be.
In an update to a blog post from a couple of weeks ago, Google says:
As a result of a joint investigation of the events surrounding this incident by Google and CNNIC, we have decided that the CNNIC Root and EV CAs will no longer be recognized in Google products. This will take effect in a future Chrome update. To assist customers affected by this decision, for a limited time we will allow CNNIC’s existing certificates to continue to be marked as trusted in Chrome, through the use of a publicly disclosed whitelist.
While neither we nor CNNIC believe any further unauthorized digital certificates have been issued, nor do we believe the misissued certificates were used outside the limited scope of MCS Holdings’ test network, CNNIC will be working to prevent any future incidents. CNNIC will implement Certificate Transparency for all of their certificates prior to any request for reinclusion. We applaud CNNIC on their proactive steps, and welcome them to reapply once suitable technical and procedural controls are in place.
It's not currently known when the update will be pushed out to Chrome users, or when Google will publish the whitelist.