According to Google’s bog, the search engine became aware of unauthorised digital certificates for several Google domains. The certificates were issued by an intermediate certificate authority apparently held by a company called MCS Holdings. MCS is a Value Added Distribution focusing on Networking and Automation businesses based near Cairo.
This intermediate certificate was issued by CNNIC.
CNNIC is included in all major root stores and it means that the misused certificates would be trusted by almost all browsers and operating systems. Chrome on Windows, OS X, and Linux, ChromeOS, and Firefox 33 and greater would have rejected these certificates because of public-key pinning, although misused certificates for other sites likely exist.
Google got on the blower to the CNNIC and other major browsers about the incident, and blocked the MCS Holdings certificate in Chrome with a CRLSet push.
CNNIC said that it had contracted with MCS Holdings on the basis that MCS would only issue certificates for domains that they had registered. But MCS installed it in a man-in-the-middle proxy which meant they could intercept secure connections by masquerading as the intended destination.
This was so that effectively it could use the certificate for customers who wanted to monitor their staff use of the world wide wibble.
“However CNNIC delegated its substantial authority to an organization that was not fit to hold it,” growled Google.
Chrome users do not need to take any action to be protected by the CRLSet updates. We have no indication of abuse and we are not suggesting that people change passwords or take other action. At this time we are considering what further actions are appropriate