Unauthorised Digital Certificates By NIC Has Made Google Worried

A digital certificate verifies and confirms that you are who you claim to be. It contains the certificate holder’s name, a serial number, expiration dates, a copy of the certificate holder’s public key (used for encrypting messages and digital signatures) and the digital signature of the certificate authority, so that a recipient can verify the certificate.

Digital certificates are like electronic passports that allow a person, computer or organisation to securely exchange information over the Internet. These are well trusted as they are forgery-resistant and can be verified. But then, one does not expect the verifying authority to goof up. However, that is exactly what the India’s National Informatics Centre (NIC) has done.

The Controller of Certifying Authorities (CCA), India, issues trusted intermediate CA (Certificate Authority) certificates or CAs to NIC. But this time, the NIC has improperly issued unauthorised CAs and this has compromised several Google domains. Google has cried foul after the July 3 discovery that NIC had issued unauthorised digital certificates.

However, the main brunt of the unauthorised digital certificates has been borne by Microsoft.
India’s CCA is included in Microsoft’s Trusted Root Certification Authorities Store, which means that any SSL (secure sockets layer) certificate issued by the body or its subordinates – like the NIC – are trusted by default by many Windows programs, including the Google Chrome and Internet Explorer Web browsers.

Microsoft has acknowledged that the latest issue could result in attempts to spoof content, perform phishing attacks or man-in-the-middle attacks.

Firefox uses its own root store that does not include the unauthorised CAs in question and is not affected.

Google, too, has assured users that Chrome on other operating systems such as Chrome OS, iOS and OS X, and Android are not affected. Google has also stated that Chrome on Windows would not have accepted the certificates for the compromised Google sites because of public-key pinning. However, certificates for other sites may still exist.

In its online security blog, Google has also written about the unauthorised certificates being misissued by the NIC for some Google domains. Consequently, Google promptly informed Microsoft and alerted India CCA and NIC, and blocked the issued unauthorised certificates in Chrome with a CRLSet push.

India CCA acted immediately and informed Google on July 3 that it had revoked all NIC intermediate certificates and another CRLSet push was carried out to include this revocation. NIC also suspended issuance of further certificates. On July 8, India CCA informed Google of its investigations. The probe found that The NIC’s issuance process was compromised and only four certificates issued were unauthorised. Three of these were for Google domains and the fourth one was for Yahoo! domains. However, the scope of the breach and whether it was caused by hacking or done wilfully by the NIC had not been made clear. Hacking is a major worry as there is nothing that is not hackable in the cyber world.

As a root CA was responsible for the issuance, under its authority, of the unauthorised CAs, Google has decided to limit the concerned Indian CCA root certificates to the affected domains and sub domains, “gov.in, nic.in, ac.in, rbi.org.on, bankofindia.co.in, ncode.in and tcs.co.in.’’

Now Microsoft has to decide whether the repair work is effective and Windows can continue to function without giving any problem to its users.

Fortunately, only a few CAs were issued by the NIC and the extent of damage is not heavy. Google also has highlighted the fact that its Certificate Transparency project is critical for protecting the security of certificates in the future.

Given the increasing volumes of e-commerce and Cloud usage, users are naturally concerned about the validity of the certificates and security. It is a matter of trust.

India CCA should identify the cause of the issue as the very credibility it validates and protects has been compromised. Otherwise, India CCA will lose its credibility.