Google Blocks Rogue Digital Certificates from India
Google revoked four unauthorized digital certificates mis-issued by the National Informatics Centre (NIC) of India, a unit of India’s Ministry of Communications and Information Technology, according to Google’s Online Security blog.
The certificates were granted for three Google domains and one Yahoo domain, the company said in a recent update. “However, we are also aware of mis-issued certificates not included in that set of four and can only conclude that the scope of the breach is unknown,” said Adam Langley, a Google security engineer.
If left unsolved, flaws in the SSL certificate system can facilitate a wide range of security attacks, such as website spoofing, server impersonation and man-in-the-middle assaults.
The Indian Controller of Certifying Authorities (India CCA), the authority responsible for the certificates, also holds several intermediate CA certificates included in the Microsoft Root Store, which means they are trusted and implemented by most programs running on Windows, including Internet Explorer and Chrome.
Google says Firefox, Chrome running on operating systems other than Windows, Android, iOS and OS X have not been affected.
“Additionally, Chrome on Windows would not have accepted the certificates for Google sites because of public-key pinning, although misused certificates for other sites may exist,” Google’s security engineer added.
To protect users, Google plans to limit the India CCA root certificate for several domains, including gov.in, nic.in, ac.in, rbi.org.in, bankofindia.co.in, ncode.in and tcs.co.in. Google also launched a Certificate Transparency project, which works as an open framework for monitoring and auditing SSL certificates in nearly real time.