Following what experts called a "major breach of public trust and confidence," Google has announced that it will no longer recognise security certificates issued by the official China Internet Network Information Centre (CNNIC).
CNNIC responded to Google's announcement with a defence of its practices, calling the search giant's move "unacceptable".
Last month, CNNIC issued security certificates for a number of domains, including Google's, without their permission. Security certificates are akin to a website or online service's fingerprint, and tell a browser whether it can be trusted. By issuing unapproved certificates, CNNIC risked compromising the encryption protocols used to protect users of email services and other secure websites.
"CNNIC is included in all major root stores and so the misissued certificates would be trusted by almost all browsers and operating systems," Google said in a statement.
Officials told Google that they had contracted with Mongolia-based MCS Holdings, which said it would only issue certificates for domains it had registered.
"However, rather than keep the private key in a suitable [hardware security module], MCS installed it in a man-in-the-middle proxy. These devices intercept secure connections by masquerading as the intended destination and are sometimes used by companies to intercept their employees’ secure traffic for monitoring or legal reasons," Google said.
Tom Lowenthal, a security and surveillance expert at the Committee to Protect Journalists, said that the move marked a "major breach of public trust and confidence".
"The deliberate breach had the potential to seriously endanger vulnerable users, such as journalists communicating with sources," he wrote.
On Wednesday, Google said that "as a result of a joint investigation of the events surrounding this incident by Google and CNNIC", it would no longer recognise certificates issued by the Chinese authority.
The company said that it did not believe any other certificates had been affected aside from those issued by MCS, and praised CNNIC for taking steps to improve security. "[We] welcome them to reapply once suitable technical and procedural controls are in place."
In a response posted online on Wednesday, CNNIC said Google's decision was "unacceptable and unintelligible" and called on the company to consider user rights and interests.
"For the users that CNNIC has already issued the certificates to, we guarantee that your lawful rights and interests will not be affected," the agency said.
Google's move comes as US president Barack Obama issued an executive order declaring cybersecurity a "national emergency", in the wake of a concerted attack on the open-source code repository GitHub.
Join the conversation about this story »
NOW WATCH: This 9-year-old makes $1 million a year opening toys