Menu
Digital certificate breach at Indian authority also targeted Yahoo domains, possibly others

Digital certificate breach at Indian authority also targeted Yahoo domains, possibly others

The full scope of the security breach is currently unknown, a Google security engineer said

The scope of a recent security breach at a digital certificate authority (CA) controlled by the Indian government is bigger than initially thought and also targeted domain names owned by Yahoo, in addition to several owned by Google.

Google said Tuesday that a week earlier it detected several certificates for Google domain names that had been issued without authorization by the National Informatics Centre (NIC), a branch of the Indian Ministry of Communications and Information Technology.

Certificate authorities are supposed to only issue digital certificates to the owners of the domain names for which they are requested. That's because in the hands of attackers rogue certificates can be used to impersonate legitimate websites and snoop on the encrypted communications of users who connect to those sites if their connections are intercepted en route.

As a CA, NIC was subordinated to India's Controller of Certifying Authorities (India CCA), a certificate authority included in the Microsoft Root Store and trusted by default by the majority of programs that run on Windows, including Google Chrome and Internet Explorer. Mozilla Firefox wasn't affected by the incident because it maintains its own root store that didn't include India CCA. Web browsers running on Linux, Android or Mac OS X were not affected either.

It wasn't clear initially whether NIC issued the rogue certificates for Google's domain names as a result of human error or a security breach, but an investigation by India CCA pointed to the latter.

India CCA "reported that NIC's issuance process was compromised and that only four certificates were misissued; the first on June 25," Google security engineer Adam Langley said Wednesday in an update to his original blog post about the issue. Of the four certificates wrongly issued by NIC and identified by India CCA, three were for Google domain names and one was for domains belonging to Yahoo, Langley said.

India CCA and NIC did not immediately respond to an inquiry seeking more information about how the breach occurred and its impact.

According to Langley, Google is aware of more rogue certificates issued by NIC aside from the four mentioned by India CCA. As a result the company "can only conclude that the scope of the breach is unknown," he said.

NIC's own CA certificates have been revoked by India CCA following the compromise and the organization has a notice on its website that reads: "Due to security reasons NICCA [NIC Certifying Authority] is not issuing certificates as of now. All operations have been stopped for some time and are not expected to resume soon."

The revocation has affected Indian government websites with SSL certificates issued by NIC, because revoking a CA certificate invalidates all certificates signed by it. For example, attempting to access https://rtionline.gov.in/, an Indian government portal for submitting right to information (RTI) requests, in Google Chrome or Internet Explorer will result in a security error because its certificate was issued by NIC and is no longer trusted.

Despite the security breach happening at NIC, Google holds India CCA responsible as well because NIC's CA operated under its authority.

"A root CA is responsible for all certificates issued under its authority," Langley said. "In light of this, in a future Chrome release, we will limit the India CCA root certificate to the following domains and subdomains thereof in order to protect users: gov.in, nic.in, ac.in, rbi.org.in, bankofindia.co.in, ncode.in, tcs.co.in," he said.

SSL certificates for any other domain names that chain back to India CCA will no longer be accepted in Chrome.

NIC is not the first government-run certificate authority to issue rogue certificates. In September 2013, a CA certificate owned by the Treasury department of the French Ministry of Finance was used to issue rogue certificates for several Google domain names. The incident was the result of human error.

In July 2011, a hacker broke into the infrastructure of DigiNotar, a certificate authority used by the Dutch government, and issued hundreds of rogue certificates for high-profile domains. DigiNotar filed for bankruptcy following the security breach.

Incidents like these have raised questions about the security and trustworthiness of the public key infrastructure (PKI) in which hundreds of certificate authorities operated by private and public organizations have the power to issue certificates for any domain on the Internet that would be trusted by most browsers and operating systems. Several technical solutions have been proposed to limit the possible impact of CAs being compromised, but none of them have been widely adopted so far.

Google Chrome has a feature called public-key pinning that only accepts pre-defined certificates for some high-profile domain names. This feature would have prevented the rogue Google certificates issued by NIC from being used against Chrome users, but the solution only protects a limited number of popular domains.

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags intrusionYahooonline safetyGoogleMicrosoftsecurityNational Informatics CentreIndian Ministry of Communications and Information Technologypki

Featured

Slideshows

Reseller News launches inaugural Hall of Fame lunch

Reseller News launches inaugural Hall of Fame lunch

Reseller News welcomed 2015 and 2016 inductees - Darryl Swann, Dave Rosenberg, Gary Bigwood, Keith Watson, Mike Hill and Scott Green - to the inaugural Reseller News Hall of Fame lunch, held at the French Cafe in Auckland. The inductees discussed how the channel can collectively work together to benefit New Zealand, the Kiwi skills shortage and the future of the industry. Photos by Maria Stefina.

Reseller News launches inaugural Hall of Fame lunch
Educating from the epicentre - Why distributors are the pulse checkers of the channel

Educating from the epicentre - Why distributors are the pulse checkers of the channel

​As the channel changes and industry voices deepen, the need for clarity and insight heightens. Market misconceptions talk of an “under pressure” distribution space, with competitors in that fateful “race for relevance” across New Zealand. Amidst the cliched assumptions however, distribution is once again showing its strength, as a force to be listened to, rather than questioned. Traditionally, the role was born out of a need for vendors and resellers to find one another, acting as a bridge between the testing lab and the marketplace. Yet despite new technologies and business approaches shaking the channel to its very core, distributors remain tied to the epicentre - providing the voice of reason amidst a seismic industry shift. In looking across both sides of the vendor and partner fences, the middle concept of the three-tier chain remains centrally placed to understand the metrics of two differing worlds, as the continual pulse checkers of the local channel. This exclusive Reseller News Roundtable, in association with Dicker Data and rhipe, examined the pivotal role of distribution in understanding the health of the channel, educating from the epicentre as the market transforms at a rapid rate.

Educating from the epicentre - Why distributors are the pulse checkers of the channel
Kiwi channel reunites as After Hours kicks off 2017

Kiwi channel reunites as After Hours kicks off 2017

After Hours made a welcome return to the channel social calendar last night, with a bumper crowd of distributors, vendors and resellers descending on The Jefferson in Auckland to kickstart 2017. Photos by Maria Stefina.

Kiwi channel reunites as After Hours kicks off 2017
Show Comments