China SSL authority revoked by browsers

The view on privacy and security in China’s technology space has lots of room for improvement compared to the development of similar institutions in the past decade or more. As outlined in my post “SSL Usage in China,” some institutions and businesses have been slow to adopt global industry security protocols to ensure safety on the Chinese Internet.

The most recent blow to the Chinese web security space was the distrusting of WoSign’s SSL certificate authority from Mozilla, Google and Apple after a recent incident involving their free certificate system. Earlier this year it was discovered that the Shenzhen-based certificate authority (CA) knowingly issued certificates to unverified domains (including a root certificate for Github.com) and did not immediately revoke the certificates after the discovery from the infosec community. This, combined with an opaque and “misleading” acquisition of StartCom (another CA) forced major Western browsers to begin distrusting SSL from these sites.

When the incident first came to light, WoSign CEO Richard Wang was included in the discussion on Mozilla’s Google Group to perform damage control. The discussion was not very reassuring to some and may have been a contributing factor to the CA’s revocation.

This incident is a big deal, especially as WoSign claims to issue a third of all certificates for Chinese websites. With that being said, many major Chinese websites like Baidu and Sina Weibo use certificates issued by Symantec, a leader in its its field.

WoSign logo
WoSign logo

This is not the first time a CA in China has had its certificates untrusted by Google and Mozilla. The state-sponsored China Internet Network Information Center (CNNIC), the administrative body responsible for the .CN top-level domain (TLD), had its SSL certificates untrusted in April of 2015 after it was discovered the CNNIC had issued certificates for Google domains via an Egypt-based company unfit to manage certificates.

As WoSign/StartCom and CNNIC were the only two China-based CAs trusted by organizations like Mozilla, there are few options for Chinese web users who wish to use local certificates.

Incidents like this show an obvious division between the China Internet and the rest of technology community. With the Great Firewall essentially cordoning off the Chinese Internet from systems and practices of the greater web, we may be seeing the of beginning a sort of schism in the priorities of Chinese tech products compared to the greater Web.

Dmitry Medvedev speaking at the World Internet Conference in Wuzhen, China. Courtesy http://government.ru
Dmitry Medvedev speaking at the World Internet Conference in Wuzhen, China. Courtesy http://government.ru

The established security protocols outside the GFW are not being adopted within China and are creating greater balkanization of the Internet as a whole. While the Chinese government is trying to secure the Chinese web to greater degrees in light of revelations from Edward Snowden and its recently passed cybersecurity law, users and institutions may not be demanding adherence to global protocols seen as so closely aligned to the Western Internet status quo. This, coupled with a clearer definition of “Internet Sovereignty” could mean more incidents similar to those with WoSign.

There is a chance this isn’t part of some greater strategy to partition the web, but rather due to the immaturity of the Chinese technology sector itself, which would rather focus on growth in other fields than these kinds of issues. There is also a chance the “chabuduo” culture has let some companies cut corners for the sake of delivering a product as quickly as possible.

Nonetheless, much of the issues created by this incident have already begun to affect the organization structure of WoSign and StartCom as recently reported by The Register. With that being said, how this incident will affect the long-term standards of Chinese Internet companies remains to be seen.

Leave a Reply