Indian CA – NIC issues fake Google SSL certificates
I was listening to the latest episode of Security Now this morning. I came to know that an Indian CA was issuing a fake SSL certificates for Google subdoamins.
Later got to know that it was NIC as per Google’s blog post
The certificates were issued by the National Informatics Centre (NIC) of India, which holds several intermediate CA certificates trusted by the Indian Controller of Certifying Authorities (India CCA).
The India CCA certificates are included in the Microsoft Root Store and thus are trusted by the vast majority of programs running on Windows, including Internet Explorer and Chrome. Firefox is not affected because it uses its own root store that doesn’t include these certificates.
Its scary because NIC is owned by Govt. of India. As far I know the main use of faked certificates is to do man in the middle attacks. Basically fake the end users that they are Google and read that content. Though the Google blog post doesn’t say which subdomains were faked. Google’s subdomains include Gmail, Drive etc (mail.google.com is Gmail). Which makes it very scary.
At this time, India CCA is still investigating this incident. This event also highlights, again, that our Certificate Transparency project is critical for protecting the security of certificates in the future.
Update Jul 9: India CCA informed us of the results of their investigation on July 8. They reported that NIC’s issuance process was compromised and that only four certificates were misissued; the first on June 25. The four certificates provided included three for Google domains (one of which we were previously aware of) and one for Yahoo domains. However, we are also aware of misissued certificates not included in that set of four and can only conclude that the scope of the breach is unknown.
The intermediate CA certificates held by NIC were revoked on July 3, as noted above. But a root CA is responsible for all certificates issued under its authority. In light of this, in a future Chrome release, we will limit the India CCA root certificate to the following domains and subdomains thereof in order to protect users:
Chrome has been updated and I am sure Microsoft also has taken measures. Firefox is clean as they maintain their own root certificates and doesnt include these.
Not sure what else users can do as of now. Try and use Firefox as much as possible.
Also its not a bad idea to access your internet through OpenVPN in a different country. Make sure DNS pings also go through the VPN.
Good work Google Security team.