Private I: Apple's Chinese market share may affect security judgment
Google apparently doesn’t mind picking a fight with China. In 2010, unable to find a basis in which it could operate its services with minimal filtering or interference, and after attacks reported to originate in China against the company’s internal mail and other systems, it shifted its search results from mainland China to servers in Hong Kong. Hong Kong operates under a special status, though it is part of the People’s Republic. Mainland searchers had to use workarounds to perform searches via Google in Hong Kong and elsewhere.
In late 2014, China blocked retrieving Gmail via email clients using IMAP and POP3 and sending via SMTP. Webmail has been intermittently heavily disrupted. China has also stepped up its blocking of virtual private networks (VPNs) and other connections, preventing tens of millions of people in China, if not more, from accessing resources outside the country that are blocked by the Great Firewall of China. (I discussed the Great Firewall and Great Cannon, an offensive weapon, a few weeks ago.)
Google’s primary source of revenue is selling advertising next to search results; its secondary sources including the sale of apps and media in Google Play, business services (like Google Apps for Work), and video advertising embedded in YouTube. It can deliver these digital services from anywhere in the world to anywhere in the world—unless blocked.
This may help explain in part the divergence in how Google and Apple responded to the high-level breach of trust by China’s top domain and security authority, CNNIC, in early March. (I explain the background in “Trust and verify for network certificate roots,” March 26.)
How we trust who we trust
The Internet requires trust, whether you want to believe that or not. Most traffic on the Internet still passes in the clear through data centers and within and across national boundaries. An increasing percentage is encrypted. An ever-larger part of that is protected in such a way that even the companies making the software can’t peek within what’s being sent and read your messages or see your photos. This has annoyed the FBI, the prime minister of the United Kingdom, and authorities in many other countries.
Much of the trust for encryption centers around a few hundred entities called certificate authorities (CA) who are delegated the trust to issue digital certificates to secure communications between client and server software, such as a web browser and a web server. These CAs are, in turn, trusted by different groups who agree to include them in a baked-in list. The primary agents of trust are Apple, Google, Mozilla, and Microsoft.
These four firms make three of the most-used commercial or certified operating systems, and the four most-used web browsers, as well as the most commonly used email software. (Opera Software is the fifth Beatle of this group, and has its strong adherents on the desktop and in mobile use.)
Google sounded the alarm March 23 about what turned out to be the egregiously bad idea of Chinese domain registrar and CA, CNNIC, to pass on authority for its root certificate—the secret encryption material used to countersign any certificate it issues—to a reseller for an ostensibly benign or limited purpose.
The reason this was a problem is that with that information, a party can create forged certificates for any domain in the world that a browser, email client, or other software would accept as perfectly valid. That’s a problem—it breaks trust the world over, and imperils both privacy and safety: people saying things privately in opposition to the government whose words can suddenly be decrypted without their knowledge can be put in danger of their freedom and their lives. (Using an illegitimate but valid certificate still requires a man-in-the-middle attack, which is trivial for a government.)
Within days, Mozilla and Google had investigated, removed the reseller’s intermediate authority, and kicked CNNIC out of the root list of CAs for all their products: Android (OS), Chrome, Chrome OS, Firefox, Firefox OS, and Thunderbird, to name the marquee items. Mozilla said it would keep older certificates valid given provisos that don’t seem to have been met; Google said all CNNIC-signed certificates would become invalid.) Both organizations say they’d consider adding CNNIC back in, probably with additional safeguards in place. Mozilla discusses these issues publicly among its community.
Microsoft removed just the intermediate certificate and issued a tepid security note. Apple has said…nothing. CNNIC’s root certificate remains in Apple’s trusted set in OS X (which can be viewed in Keychain Access), and the company hasn’t spoken publicly. (A query I made weeks ago received no response to date.)
Microsoft doesn’t break out its Chinese or Asian sales, estimated to be just a few percentage points of its total revenue. But it has strived for years to increase sales there, and the future of Microsoft in versatile devices and cloud services means it has to bump sales in China.
Apple grossed nearly $17 billion in revenue from China, Hong Kong, and Taiwan in its quarterly earnings announced earlier this week. Google has taken its stance for whatever combination of commercial and political reasons. Mozilla is a nonprofit foundation that stresses transparency in its decision making.
What lies beneath
Earlier this year, the New York Times reported on new rules in China:
The Chinese government has adopted new regulations requiring companies that sell computer equipment to Chinese banks to turn over secret source code, submit to invasive audits and build so-called back doors into hardware and software, according to a copy of the rules obtained by foreign technology companies that do billions of dollars’ worth of business in China.
(The United States has allegedly attempted to insert its own back doors in equipment made by Chinese firms, notably Huawei.)
While these rules apply to the banking industry, and haven’t been put into enforcement yet, pressure apparently exists across many industries for the same sorts of requirements, partly to turn purchases to Chinese firms that will have no choice but agree to the conditions.
Apple failing to boot CNNIC and failing to discuss its reasoning for not doing so isn’t a minor point when hundreds of millions of computers and devices are affected by its decision, and two other firms—one a competitor and one not really in the same business or in any real business at all—with different constraints in China acted quickly and publicly.
The importance of China to Apple’s continued growth can’t be understated. This is why they should be held to just as high a standard of disclosure about issues affecting security there, as they are when Tim Cook bucks the FBI and NSA.