14 DAY TRIAL // Yesterday it was unclear whether the rogue digital certificates discovered by Google had been issued by India’s National Informatics Centre (NIC) by accident or as a result of a hacking incident.
This matter is quite clear now, as Google security engineer Adam Langley has published an update to his initial blog post announcing the blocking of the unauthorized certificates, in which he says an investigation revealed that NIC’s issuance process had been compromised.
The investigation was conducted by the Indian Controller of Certifying Authorities (India CCA), whose certificates are included in the Microsoft Root Store.
According to Langley, India CCA informed Google that their analysis of the incident revealed that only four certificates had been mis-issued as a result of the compromise, the first issuance being recorded on June 25.
“The four certificates provided included three for Google domains (one of which we were previously aware of) and one for Yahoo domains,” writes Langley in the post.
But it appears that it would be quite a trick to deceive all-knowing Google, because they have information about additional unauthorized certificates, besides the four mentioned by India CCA.
This can only lead to the conclusion that the full breadth of the breach is still to be discovered. The intermediate certificates mis-issued by NIC have already been revoked, “but a root CA is responsible for all certificates issued under its authority,” says the engineer.
As such, in order to protect the users, a future release of Chrome will limit the India CCA root certificate to the following domains and sub-domains:
- gov.in - nic.in - ac.in - rbi.org.in - bankofindia.co.in - ncode.in - tcs.co.in
Because the India CCA certificates are included in the Microsoft Root Store, many applications on Windows trust them implicitly, Google Chrome and Internet Explorer included.
However, Chrome on Windows relies on public-key pinning and the company says that the browser would not have accepted the certificates because of this.
With Firefox, there’s a different story, since this browser uses its own root store which does not include the rogue certificates.
As soon as Google found out about the rogue digital certificates on July 2, the company proceeded to block them in Chrome with a CRLSet push. Microsoft has also taken some steps to keep its users away from harm.
On July 3, India CAA had already revoked all intermediate certificates issued by the National Informatics Centre.
Compromising NIC is definitely a serious incident, which questions the organization’s capacity to secure its systems and protect the sensitive information from attackers.