Rogue digital certificates issued in India for several Google domains were identified and blocked last week, Google representatives said Tuesday.
According to Google Security Engineer Adam Langley, the unauthorized certificates were issue by India’s National Informatics Center (NIC), which holds several intermediate Certification Authority (CA) certificates trusted by the Indian Controller of Certifying Authorities (India CCA).
Google said that it has notified NIC, India CCA and Microsoft and has taken steps to make sure the fake certificates are not misused. There’s no evidence of widespread abuse and Google is not asking users to change their passwords, but the company has rolled out CRLSet updates to block the certificates.
Since certificates issued by India CCA are included in the Microsoft Root Store, many applications running on Windows, including Internet Explorer and Chrome, trust them.
Langley pointed out that public-key pinning would have prevented Chrome from accepting the bogus digital certificates for Google websites. Firefox uses its own root store so it’s not impacted, and versions of Chrome running on Android, Chrome OS, OS X and iOS are not affected either, Langley said in a blog post.
India CCA has suspended 3 CA certificates issued to NICCA and has updated corresponding CRLs while the incident is being investigated, the organization said on its website.
“Due to security reasons NICCA is not issuing certificates as of now. All operations have been stopped for some time and are not expected to resume soon. DSC application forms will not be accepted till operations are resumed and further instructions will be issued thereafter. Inconvenience caused is regretted,” reads a message posted on the website of NICCA.
It’s unclear at this point if the Indian organization suffered a data breach, if it has been tricked into issuing the certificates, or if there’s a different cause for the incident.
“As the world becomes more dependent, and some might say blindly so, on digital certificates it’s only natural that attackers will seek to circumvent this trust. Whether because the Indian government was complicit or a victim of hacking in the issuance of certificates that impersonated Google, the result is them same – individuals, businesses, and even other governments placed blind trust in digital certificates and we’re all the victims,” Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, told SecurityWeek.
“Right now, every enterprise should be using certificate whitelisting to make sure the Indian Controller of Certifying Authorities are no longer trusted. Beyond this, enterprises need to be able to respond quickly and remediate. Next time it may be certificates that are issued from a now untrusted CA (as is clearly the case with the Indian CA) or some of their certificates have been compromised and now being missed,” Bocek added.
“We’ve trained operating systems, mobile devices, and even people to blindly trust digital certificates. The use of malicious certificates in India to impersonate Google is a serious and alarming threat for everyone. If we can’t establish trust online, then we’re back to 1993 when you couldn’t run a supply chain, bank over the Internet, or shop online. And even more alarming is what if attackers were compromising certificates used for payment systems, banks, or even e-enabled aircraft from Boeing to Airbus. What we take for granted could all be threatened because we placed blind trust in digital certificates. This is no longer a hypothetical threat – the use of malicious certificates in India against Google and its customers is just one more example of how serious this problem is.”