Indian government agency issues fake Google certificates

Summary:Some systems trusted the fake certificates, some didn't, but Google moved quickly to tell others to revoke them.

Last week Google became aware of fake Google domains issued by the National Informatics Centre (NIC) of India, which holds several intermediate CA certificates trusted by the Indian Controller of Certifying Authorities (India CCA).

According to Google security engineer Adam Langley, users of Chrome and other Google products were not in danger of being spoofed by these domains. But the India CCA is included in the Microsoft trusted root store, which means that most Windows programs that use SSL would, by default, trust the certificates.

Google immediately notified the Indian NIC and CCA as well as Microsoft. Microsoft has revoked the NIC's certificate. A notice on the India CCA home page says "Due to security reasons 3 CA Certificates issued to NICCA have been suspended and the corresponding CRLs have been updated for this purpose. Further updation [sic] will be notified."

Langley goes on to describe the additional TLS/SSL security measures used by Google that protected users from these certificates. As a result, illustrated in the error messages below, the NIC and certificates issued by it are now untrusted.

nic.in.error
The Indian National Informatics Centre's certificates have been revoked. This is what happens now in Chrome (above) and Internet Explorer (below). Firefox also flags the certificates as untrusted.

The India CCA certificates were not in the other major trusted root stores (Apple, Firefox, Chrome OS, and Android), so those systems did not trust them to begin with. Chrome users on Windows were protected by default by certificate pinning, which specifically protects Google domains. Google has also updated their CRLSets to block the false domains.

Wikipedia describes the Indian National Informatics Center as "...the premier science and technology organization of India's Union Government in informatics services and information-and-communication technology (ICT) applications."

Topics: Security, Government : Asia, India

About

Larry Seltzer has long been a recognized expert in technology, with a focus on mobile technology and security in recent years. He was most recently Editorial Director of BYTE, Dark Reading and Network Computing at UBM Tech. Prior to that he spent over a decade consulting and writing on technology subjects, primarily in the area of sec... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.