14 DAY TRIAL // In the past week, Google has become aware of several fake Google domains issued by the National Informatics Centre in India, which holds several intermediate CA certificates trusted by the Indian Controller of Certifying Authorities.
“The India CCA certificates are included in the Microsoft Root Store and thus are trusted by the vast majority of programs running on Windows, including Internet Explorer and Chrome. Firefox is not affected because it uses its own root store that doesn’t include these certificates,” Google’s Adam Langley, security engineer, explained.
The Internet giant said that it was not aware of any other root stores that included the India CCA certificates, thus Chrome on other operating systems, Chrome OS, Android, iOS and OS X are not affected.
Google explained that Chrome on Windows wouldn’t have accepted the certificates for Google sites because of public-key pinning, although other misused certificates for other sites may exist.
“We promptly alerted NIC, India CCA and Microsoft about the incident and the misused certificates were blocked,” Langley wrote about the July 2 incident.
The second day, on July 4, India CCA informed Google that all NIC intermediate certificates were revoked, while another CRLSet push was performed to include that revocation.
While Google's troubles are indeed huge, it proves that attacks involving fake certificates could grow in intensity and could feature other more important areas, as Venafi, a company which provides software to manage, protect and secure encryption keys and digital certificates, points out..
“As the world becomes more dependent, and some might say blindly so, on digital certificates it’s only natural that attackers will seek to circumvent this trust. Whether because the Indian government was complicit or a victim of hacking in the issuance of certificates that impersonated Google, the result is them same – individuals, businesses, and even other governments placed blind trust in digital certificates and we're all the victims,” said Kevin Bocek, VP of security strategy and threat intelligence at Venafi.
Bocek adds that the use of malicious certificates is another wake-up call for businesses and governments to take action. Given the current situation, he believes that every enterprise should be using certificate whitelisting to make sure the Indian Controller of Certifying authorities are no longer trusted and they need to be able to respond quickly and to remediate the issues as soon as they appear.
“Next time it may be certificates that are issued from a now untrusted CA (as is clearly the case with the Indian CA) or some of their certificates have been compromised and now being missed,” he added.
The troubles Google went through stem from the fact that operating systems, mobile devices and even people were trained to blindly trust these digital certificates. Using malicious certificates to impersonate Google is a serious and alarming threat that should make everyone pay attention.
“If we can’t establish trust online, then we’re back to 1993 when you couldn’t run a supply chain, bank over the Internet, or shop online,” Bocek adds before painting an even more worrisome picture – having attackers compromising certificates used for payment systems, banks, “or even e-enabled aircraft from Boeing to Airbus.”