Microsoft Revokes Fake Yahoo, Google Certificates Issued After India NIC Hack

Microsoft has updated its Certificate Trust List (CTL) to revoke rogue certificates issued following a breach of India’s National Informatics Center (NIC).

The NIC is a government agency that holds intermediate Certificate Authority (CA) certificates trusted by the Indian Controller of Certifying Authorities (India CCA).

The India CCA’s certificates are included in Microsoft’s Trusted Root Certification Authorities Store, which means they’re trusted by most Windows applications.

Google reported on Tuesday that it had identified unauthorized digital certificates for several of the company’s domains. Following an investigation by the India CCA, it came to light that the NIC’s issuance process was compromised.

While the India CCA found only four fake certificates, three for Google and one for Yahoo domains, Google said that others existed as well, according to an update made on Wednesday to its initial blog post.

This is confirmed by Microsoft, which announced on Thursday that it has revoked improperly issued certificates for over a dozen Google domains and more than two dozen Yahoo domains, including google.com, mail.google.com, gmail.com, login.yahoo.com and mail.yahoo.com.

Microsoft says it’s not aware of any attacks in which the certificates are used, but the CTL has been updated for all supporter versions of Windows as a precaution.

“The subordinate CA has been misused to issue SSL certificates for multiple sites, including Google web properties. These SSL certificates could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against web properties. The subordinate CAs may also have been used to issue certificates for other, currently unknown sites, which could be subject to similar attacks,” Microsoft said in its advisory.

For its part, Google revoked the intermediate CA certificates held by NIC, but because the full extent of the breach has not been determined, the search engine giant also decided to limit the India CCA root certificate to the domains gov.in, nic.in, ac.in, rbi.org.in, bankofindia.co.in, ncode.in and tcs.co.in.

The changes will be reflected in a future Chrome release.

At the time of writing, the NIC CA is still not issuing certificates. A message posted on the organization’s website informs visitors that operations are not expected to resume any time soon.

While the details of the breach have not been disclosed, according to Google, the first bogus certificate was issued on June 25.

“The use of malicious certificates is another wakeup call for businesses and governments to take action. They cannot trust third party Certificate Authorities (CAs) that their organization now has reason to be trusting. But, browsers, operating systems, enterprise applications, and mobile devices do. Certificate whitelisting makes sure that only those CAs that should be trusted are trusted – all other CAs are removed,” Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, told SecurityWeek.

 “Right now, every enterprise should be using certificate whitelisting to make sure the Indian Controller of Certifying Authorities are no longer trusted. Beyond this, enterprises need to be able to respond quickly and remediate. Next time it may be certificates that are issued from a now untrusted CA (as is clearly the case with the Indian CA) or some of their certificates have been compromised and now being missed.”