Menu
Digital certificate breach at Indian authority also targeted Yahoo domains, possibly others

Digital certificate breach at Indian authority also targeted Yahoo domains, possibly others

The full scope of the security breach is currently unknown, a Google security engineer said

The scope of a recent security breach at a digital certificate authority (CA) controlled by the Indian government is bigger than initially thought and also targeted domain names owned by Yahoo, in addition to several owned by Google.

Google said Tuesday that a week earlier it detected several certificates for Google domain names that had been issued without authorization by the National Informatics Centre (NIC), a branch of the Indian Ministry of Communications and Information Technology.

Certificate authorities are supposed to only issue digital certificates to the owners of the domain names for which they are requested. That's because in the hands of attackers rogue certificates can be used to impersonate legitimate websites and snoop on the encrypted communications of users who connect to those sites if their connections are intercepted en route.

As a CA, NIC was subordinated to India's Controller of Certifying Authorities (India CCA), a certificate authority included in the Microsoft Root Store and trusted by default by the majority of programs that run on Windows, including Google Chrome and Internet Explorer. Mozilla Firefox wasn't affected by the incident because it maintains its own root store that didn't include India CCA. Web browsers running on Linux, Android or Mac OS X were not affected either.

It wasn't clear initially whether NIC issued the rogue certificates for Google's domain names as a result of human error or a security breach, but an investigation by India CCA pointed to the latter.

India CCA "reported that NIC's issuance process was compromised and that only four certificates were misissued; the first on June 25," Google security engineer Adam Langley said Wednesday in an update to his original blog post about the issue. Of the four certificates wrongly issued by NIC and identified by India CCA, three were for Google domain names and one was for domains belonging to Yahoo, Langley said.

India CCA and NIC did not immediately respond to an inquiry seeking more information about how the breach occurred and its impact.

According to Langley, Google is aware of more rogue certificates issued by NIC aside from the four mentioned by India CCA. As a result the company "can only conclude that the scope of the breach is unknown," he said.

NIC's own CA certificates have been revoked by India CCA following the compromise and the organization has a notice on its website that reads: "Due to security reasons NICCA [NIC Certifying Authority] is not issuing certificates as of now. All operations have been stopped for some time and are not expected to resume soon."

The revocation has affected Indian government websites with SSL certificates issued by NIC, because revoking a CA certificate invalidates all certificates signed by it. For example, attempting to access https://rtionline.gov.in/, an Indian government portal for submitting right to information (RTI) requests, in Google Chrome or Internet Explorer will result in a security error because its certificate was issued by NIC and is no longer trusted.

Despite the security breach happening at NIC, Google holds India CCA responsible as well because NIC's CA operated under its authority.

"A root CA is responsible for all certificates issued under its authority," Langley said. "In light of this, in a future Chrome release, we will limit the India CCA root certificate to the following domains and subdomains thereof in order to protect users: gov.in, nic.in, ac.in, rbi.org.in, bankofindia.co.in, ncode.in, tcs.co.in," he said.

SSL certificates for any other domain names that chain back to India CCA will no longer be accepted in Chrome.

NIC is not the first government-run certificate authority to issue rogue certificates. In September 2013, a CA certificate owned by the Treasury department of the French Ministry of Finance was used to issue rogue certificates for several Google domain names. The incident was the result of human error.

In July 2011, a hacker broke into the infrastructure of DigiNotar, a certificate authority used by the Dutch government, and issued hundreds of rogue certificates for high-profile domains. DigiNotar filed for bankruptcy following the security breach.

Incidents like these have raised questions about the security and trustworthiness of the public key infrastructure (PKI) in which hundreds of certificate authorities operated by private and public organizations have the power to issue certificates for any domain on the Internet that would be trusted by most browsers and operating systems. Several technical solutions have been proposed to limit the possible impact of CAs being compromised, but none of them have been widely adopted so far.

Google Chrome has a feature called public-key pinning that only accepts pre-defined certificates for some high-profile domain names. This feature would have prevented the rogue Google certificates issued by NIC from being used against Chrome users, but the solution only protects a limited number of popular domains.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags MicrosoftGoogleYahooonline safetyintrusionpkiNational Informatics CentreIndian Ministry of Communications and Information Technology

Featured

Slideshows

EDGE 2018: Kiwis kick back with Super Rugby before NZ session

EDGE 2018: Kiwis kick back with Super Rugby before NZ session

New Zealanders kick-started EDGE 2018 with a bout of Super Rugby before a dedicated New Zealand session, in front of more than 50 partners, vendors and distributors on Hamilton Island.‚Äč

EDGE 2018: Kiwis kick back with Super Rugby before NZ session
EDGE 2018: Kiwis assess key customer priorities through NZ research

EDGE 2018: Kiwis assess key customer priorities through NZ research

EDGE 2018 kicked off with a dedicated New Zealand track, highlighting the key customer priorities across the local market, in association with Dell EMC. Delivered through EDGE Research - leveraging Kiwi data through Tech Research Asia - more than 50 partners, vendors and distributors combined during an interactive session to assess the changing spending patterns of the end-user and the subsequent impact to the channel.

EDGE 2018: Kiwis assess key customer priorities through NZ research
Show Comments