A new digital certificate authority security breach in India has dealt a heavy blow to the domains controlled by Google and Yahoo. And what security experts view as the total scope of the threat actually represents only the tip of the iceberg.
More than a week ago, Google discovered several unauthorized certificates that had been issued by the National Informatics Center within the Indian Ministry of Communications and Information Technology for the search giant’s various domains.
The threat is that fraudulent certificates are potential tools for hackers to imitate legitimate websites and gain access to private and encrypted communications between users that could establish a connection with those rogue sites. That is why digital certificates are issued for domain names only if the owner asks for certificate authorities to do so.
India’s Controller of Certifying Authorities is listed in Microsoft Root Store and several Windows programs including the browsers Chrome and Internet Explorer have trusted it. Fortunately, there is no trouble for Mozilla Firefox users because the browser has a proprietary root store that excludes India CCA.
Microsoft has yet to determine whether the fake NIC certificates for Google’s domains were issued out of human error a technical flaw. However, India CCA found a compromise on how the NIC issued the certificates. According to Google security engineer Adam Langley, four rogue NIC certificates were issued, three of which were meant for Google domain names and one for Yahoo’s.
Google has further detected suspicious certificates other than the ones issued by the NIC so it is possible that the breach has a far-reaching impact beyond what authorities have assessed so far.
India CCA has immediately revoked NIC’s CA certificates and the Certifying Authority has ceased releasing certificates following the breach. After the India CCA revoked those certificates, Indian government websites with NIC-signed SSL certificates are currently insecure since all certificates have become invalid.
As an example, the Indian government website that accepts right to information requests gives the following warning to visitors:
“The server presented a certificate issued by an entity that is not trusted by your computer’s operating system. This may mean that the server has generated its own security credentials, which Chrome cannot rely on for identity information, or an attacker may be trying to intercept your communications. You should not proceed, especially if you have never seen this warning before for this site.”
Consequently, Google says it will restrict the India CCA root certificate to such domains as gov.in, nic.in, ac.in, rbi.org.in, bankofindia.co.in, ncode.in and tcs.co.in in its future Chrome updates.