Fake Google SSL Certificates – Courtesy NIC

Yet again, we stumble across Fake SSL Certificates being issued, this time around, Fake Certificates of Google were issued by none other than the Indian Certifying Authority “National Informatics Center”.

The incident came to light via Google’s blog post over here. According to Google , on 2 July , they  became aware of unauthorized digital certificates for several Google domains. The certificates were issued by the National Informatics Centre (NIC) of India, which holds several intermediate CA certificates trusted by the Indian Controller of Certifying Authorities (India CCA).

Moreover, India CCA certificates are included in the Microsoft Root Store and are trusted by the vast majority of programs running on Windows, including Internet Explorer and Chrome. However, Firefox is not affected because it uses its own root store that doesn’t include these certificates.

We are not aware of any other root stores that include the India CCA certificates, thus Chrome on other operating systems, Chrome OS, Android, iOS and OS X are not affected. Additionally, Chrome on Windows would not have accepted the certificates for Google sites because of public-key pinning, although misissued certificates for other sites may exist.

We promptly alerted NIC, India CCA and Microsoft about the incident, and we blocked the misissued certificates in Chrome with a CRLSet push.

On July 3, India CCA informed us that they revoked all the NIC intermediate certificates, and another CRLSet push was performed to include that revocation.

Chrome users do not need to take any action to be protected by the CRLSet updates. We have no indication of widespread abuse and we are not suggesting that people change passwords.

The issue with such rogue certificates is that they allow unhindered snooping on Google Services , since this is a Government organization , it raises quite a few questions and whether  the NIC was hacked or sheer mistake committed while issuing these certificates again raises quite a few concerns, as both these acts are unforgivable. Since India CCA is conducting an investigation nothing more can be said about this.

Even though Google’s initiative of detecting Fraudulently Generated Certificates is commendable, through its Certificate Transparency Program,  however it still provides a small window wherein snooping can be conducted until the rogue certificate is detected and subsequently revoked.

In the past too, through this blog, I had spoken about the decentralized structure of Certificate Management and how there is a need to rein in such rogue certificates by centralizing the entire process, but it seems a greater disaster is awaiting to happen.

This entry was posted in eScan 11. Bookmark the permalink.