Security

Google Blocks Fake SSL Certificates Issued by Indian Government Agency

Add Your Comments

Google has blocked unauthorized digital certificates for several Google domains issued by the National Informatics Centre of India (NIC), a unit of India’s Ministry of Communications and Information Technology.

According to a blog post by Google security engineer Adam Langley, Google became aware of the rogue certificates on July 2. By July 3, the Indian Controller of Certifying Authorities (India CCA) revoked all the NIC intermediate certificates.

Google said that the India CCA certificates are included in the Microsoft Root Store, and therefore “are trusted by the vast majority of programs running on Windows, including Internet Explorer and Chrome.”

While they are far from perfect, SSL certificates are still one of the core elements of online security. Still, since hundreds of entities issue certificates, it makes it difficult to identify rogue CAs that aren’t following proper procedures. To address this issue, Google recently launched its Certificate Transparency project to provide an open framework for monitoring and auditing SSL certificates in near real-time. DigiCert was one of the first Certificate Authority’s to implement Certificate Transparency after working with Google for a year to pilot the project.

According to Google, Firefox users are not impacted because it doesn’t use the India CCA certificates, and Google said there is no indication of widespread abuse. It is not suggesting Chrome users change passwords.

“We are not aware of any other root stores that include the India CCA certificates, thus Chrome on other operating systems, Chrome OS, Android, iOS and OS X are not affected,” Langley said. “Additionally, Chrome on Windows would not have accepted the certificates for Google sites because of public-key pinning, although misissued certificates for other sites may exist.”

This is not the first time that a government agency has mistakenly signed an intermediate CA certificate. In December, Google revoked trust for a digital certificate for several of its domains, mistakenly signed by a French government intermediate certificate authority.

Add Your Comments

  • (will not be published)