Indian government agency issues fake Google certificates

Some systems trusted the fake certificates, some didn't, but Google moved quickly to tell others to revoke them.
Written by Larry Seltzer, Contributor

Last week Google became aware of fake Google domains issued by the National Informatics Centre (NIC) of India, which holds several intermediate CA certificates trusted by the Indian Controller of Certifying Authorities (India CCA).

According to Google security engineer Adam Langley, users of Chrome and other Google products were not in danger of being spoofed by these domains. But the India CCA is included in the Microsoft trusted root store, which means that most Windows programs that use SSL would, by default, trust the certificates.

Google immediately notified the Indian NIC and CCA as well as Microsoft. Microsoft has revoked the NIC's certificate. A notice on the India CCA home page says "Due to security reasons 3 CA Certificates issued to NICCA have been suspended and the corresponding CRLs have been updated for this purpose. Further updation [sic] will be notified."

Langley goes on to describe the additional TLS/SSL security measures used by Google that protected users from these certificates. As a result, illustrated in the error messages below, the NIC and certificates issued by it are now untrusted.

The Indian National Informatics Centre's certificates have been revoked. This is what happens now in Chrome (above) and Internet Explorer (below). Firefox also flags the certificates as untrusted.

The India CCA certificates were not in the other major trusted root stores (Apple, Firefox, Chrome OS, and Android), so those systems did not trust them to begin with. Chrome users on Windows were protected by default by certificate pinning, which specifically protects Google domains. Google has also updated their CRLSets to block the false domains.

Wikipedia describes the Indian National Informatics Center as "...the premier science and technology organization of India's Union Government in informatics services and information-and-communication technology (ICT) applications."

Editorial standards