San Francisco, April 2, 2015–The Committee to Protect Journalists welcomes Google’s plan to revoke the authority of root certificates belonging to China Internet Network Information Center (CNNIC) following CNNIC’s major breach of the trust placed in them to underpin global Internet security. Mozilla also said it will not trust any CNNIC certificates dated after April 1, and is considering further action.
“Security lapses like CNNIC’s place journalists at elevated risk,” said Geoffrey King, CPJ’s Internet Advocacy program coordinator. “This decision by Google and Mozilla will help protect those most vulnerable to online attacks. We urge other software developers to follow suit.”
Internet users rely on strong encryption, which in turn relies on strong authentication, to protect the privacy of their communications. In late March, CNNIC issued false digital credentials which violated its promises and responsibilities as a certificate authority. These credentials were used insecurely by an Egyptian company called MCS Holdings to intercept online communications, Google reported on its security blog. In a statement on its website, MCS said its interception was “for testing purposes.”
EDITOR’S NOTE: The first and second paragraphs of this statement have been updated to reflect Mozilla’s decision.