14 DAY TRIAL // An unspecified number of unauthorized digital certificates for several Google domains have been blocked by the search giant after learning of their existence last Wednesday.
Google security engineer Adam Langley said in a blog post that the certificates had been issued by India’s National Informatics Centre (NIC) and that there was no information on the circumstances of the incident.
Digital certificates are issued by trusted Certificate Authorities (CA) and are used by web browsers to verify that a domain is owned by the entity claiming it. They are also used for encrypting the communication between the browser and the domain via secure protocols (SSL/TLS).
As such, unauthorized certificates pose a great risk to the user, as they are implicitly trusted by the web browser, and an attacker could use them to verify websites used for malicious activities.
National Informatics Centre in India has multiple intermediate certificates, which are trusted by the Indian Controller of Certifying Authorities (India CCA).
In this case, the India CCA certificates are included in the Microsoft Root Store, which means that plenty of the applications running on Windows trust them, including Google Chrome and Internet Explorer web browsers.
Firefox users would have not been affected by the misuse of these certificates, because Mozilla’s browser relies on its own root store that does not include them.
“We are not aware of any other root stores that include the India CCA certificates, thus Chrome on other operating systems, Chrome OS, Android, iOS and OS X are not affected. Additionally, Chrome on Windows would not have accepted the certificates for Google sites because of public-key pinning, although mis-issued certificates for other sites may exist,” says Langley in the post.
As soon as the rogue certificates were detected, Google took the necessary steps to alert NIC, India CCA and Microsoft and blocked them in their web browsers via a CLRSet push, which is primarily designed for emergency certificate blocking.
The next day after Google’s alert, on July 3, India CCA announced that all NIC intermediate certificates had been revoked.
There are no details on how the incident occurred, and an investigation is currently ongoing in order to determine the circumstances that led to issuing the unauthorized certificates.
One possibility would be that the National Informatics Centre of India was compromised, which is quite a serious problem considering that it is a part of the Indian Ministry of Communications and Information Technology's Department of Electronics and Information Technology.