On December 26, 2014, in an announcement posted on their website, a new chairperson for CNNIC was directly appointed by the Cyberspace Administration of China. The announcement of this appointment coincided with the complete blocking of Gmail.

Cyberspace Administration of China (中央网信办) is chaired by Lu Wei, “China’s web doorkeeper”. Lu Wei is also the vice chair of the Central Propaganda Department, according to his official resume.

chair.png

This office is directly responsible for the blocking of Gmail and other websites including Facebook, Twitter and Google.

CNNIC is China’s certification authority and operates the country’s domain name registry. 

What are certificates used for?

Certificates are used primarily to verify the identity of a person or device, authenticate a service, or encrypt files. 

What is a certification authority (CA)?  

Certification authorities are the organizations that issue certificates. They establish and verify the authenticity of public keys that belong to people or other certification authorities, and they verify the identity of a person or organization that asks for a certificate.

Before September 2014, CNNIC was nominally led by the Chinese Academy of Science (中国科学院). This partly explains how CNNIC was able to convince large software vendors to trust them as a certificate authority. But now CNNIC is directly governed by an office that is directly in charge of censorship and GFW. Lu Wei and Cyberspace Administration of China report to Xi Jinping directly.

We have outlined CNNIC's dubious history in a previous blog post. Now that CNNIC is directly under the control of the office that is responsible for Chinese internet censorship controls, we again strongly encourage organizations, including Apple and Microsoft, to revoke CNNIC certificates.

In July 2014, Microsoft revoked their trust in a certificate authority operated by the Indian government. In an advisory posted on Microsoft's website, the company states:

“...improperly issued SSL certificates that could be used in attempts to spoof content, perform phishing attacks, or perform man-in-the-middle attacks.”

As we noted in our post about CNNIC, they have been complicit in or have allowed the man-in-the-middle (MITM) attacks against Apple, Google, Yahoo and Microsoft in October of this year. In 2005, CNNIC produced award-winning malware.

Microsoft and others are likely hesitant to revoke CNNIC certificates given the message that this would send to the Chinese authorities. This kind of action would also likely generate considerable negative press for Lu Wei and his office. But we urge companies like Microsoft to consider what could happen if they do nothing.

The complete block of Gmail was likely related to the appointment of a new chairperson for CNNIC. Through this person, Lu Wei is continuing to build his profile as China’s internet czar and to centralise more of China’s internet administration under his direct control. Lu Wei has not been shy about sharing his thoughts on Facebook’s plans to enter China:

He (Lu Wei) unapologetically defended China’s need for stronger Internet controls at a trade conference in London in June, and at an October news conference in Beijing, he made it plain that an unfettered Facebook could not expect to operate in China.

“I didn’t say Facebook could not enter China, but nor did I say that it could,” he said.

--- from the New York Times

In the future, we can expect that censorship measures will be put in place on a more timely basis and that the authorities will be able to act much faster when controlling information which they deem to be sensitive.