Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Incident Response

Fake Google Digital Certificates Issued by Indian Organization

Rogue digital certificates issued in India for several Google domains were identified and blocked last week, Google representatives said Tuesday.

Rogue digital certificates issued in India for several Google domains were identified and blocked last week, Google representatives said Tuesday.

According to Google Security Engineer Adam Langley, the unauthorized certificates were issue by India’s National Informatics Center (NIC), which holds several intermediate Certification Authority (CA) certificates trusted by the Indian Controller of Certifying Authorities (India CCA).

Google said that it has notified NIC, India CCA and Microsoft and has taken steps to make sure the fake certificates are not misused. There’s no evidence of widespread abuse and Google is not asking users to change their passwords, but the company has rolled out CRLSet updates to block the certificates.

Since certificates issued by India CCA are included in the Microsoft Root Store, many applications running on Windows, including Internet Explorer and Chrome, trust them.

Langley pointed out that public-key pinning would have prevented Chrome from accepting the bogus digital certificates for Google websites. Firefox uses its own root store so it’s not impacted, and versions of Chrome running on Android, Chrome OS, OS X and iOS are not affected either, Langley said in a blog post.

India CCA has suspended 3 CA certificates issued to NICCA and has updated corresponding CRLs while the incident is being investigated, the organization said on its website.

“Due to security reasons NICCA is not issuing certificates as of now. All operations have been stopped for some time and are not expected to resume soon. DSC application forms will not be accepted till operations are resumed and further instructions will be issued thereafter. Inconvenience caused is regretted,” reads a message posted on the website of NICCA.

Advertisement. Scroll to continue reading.

It’s unclear at this point if the Indian organization suffered a data breach, if it has been tricked into issuing the certificates, or if there’s a different cause for the incident.

“As the world becomes more dependent, and some might say blindly so, on digital certificates it’s only natural that attackers will seek to circumvent this trust. Whether because the Indian government was complicit or a victim of hacking in the issuance of certificates that impersonated Google, the result is them same – individuals, businesses, and even other governments placed blind trust in digital certificates and we’re all the victims,”  Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, told SecurityWeek.

“Right now, every enterprise should be using certificate whitelisting to make sure the Indian Controller of Certifying Authorities are no longer trusted.  Beyond this, enterprises need to be able to respond quickly and remediate. Next time it may be certificates that are issued from a now untrusted CA (as is clearly the case with the Indian CA) or some of their certificates have been compromised and now being missed,” Bocek added.

“We’ve trained operating systems, mobile devices, and even people to blindly trust digital certificates. The use of malicious certificates in India to impersonate Google is a serious and alarming threat for everyone. If we can’t establish trust online, then we’re back to 1993 when you couldn’t run a supply chain, bank over the Internet, or shop online. And even more alarming is what if attackers were compromising certificates used for payment systems, banks, or even e-enabled aircraft from Boeing to Airbus. What we take for granted could all be threatened because we placed blind trust in digital certificates. This is no longer a hypothetical threat – the use of malicious certificates in India against Google and its customers is just one more example of how serious this problem is.”

 

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...