Digital certificate breach at Indian authority also targeted Yahoo domains, possibly others

The full scope of the security breach is currently unknown, a Google security engineer said

The scope of a recent security breach at a digital certificate authority (CA) controlled by the Indian government is bigger than initially thought and also targeted domain names owned by Yahoo, in addition to several owned by Google.

Google said Tuesday that a week earlier it detected several certificates for Google domain names that had been issued without authorization by the National Informatics Centre (NIC), a branch of the Indian Ministry of Communications and Information Technology.

Certificate authorities are supposed to only issue digital certificates to the owners of the domain names for which they are requested. That's because in the hands of attackers rogue certificates can be used to impersonate legitimate websites and snoop on the encrypted communications of users who connect to those sites if their connections are intercepted en route.

As a CA, NIC was subordinated to India's Controller of Certifying Authorities (India CCA), a certificate authority included in the Microsoft Root Store and trusted by default by the majority of programs that run on Windows, including Google Chrome and Internet Explorer. Mozilla Firefox wasn't affected by the incident because it maintains its own root store that didn't include India CCA. Web browsers running on Linux, Android or Mac OS X were not affected either.

It wasn't clear initially whether NIC issued the rogue certificates for Google's domain names as a result of human error or a security breach, but an investigation by India CCA pointed to the latter.

India CCA "reported that NIC's issuance process was compromised and that only four certificates were misissued; the first on June 25," Google security engineer Adam Langley said Wednesday in an update to his original blog post about the issue. Of the four certificates wrongly issued by NIC and identified by India CCA, three were for Google domain names and one was for domains belonging to Yahoo, Langley said.

India CCA and NIC did not immediately respond to an inquiry seeking more information about how the breach occurred and its impact.

According to Langley, Google is aware of more rogue certificates issued by NIC aside from the four mentioned by India CCA. As a result the company "can only conclude that the scope of the breach is unknown," he said.

NIC's own CA certificates have been revoked by India CCA following the compromise and the organization has a notice on its website that reads: "Due to security reasons NICCA [NIC Certifying Authority] is not issuing certificates as of now. All operations have been stopped for some time and are not expected to resume soon."

The revocation has affected Indian government websites with SSL certificates issued by NIC, because revoking a CA certificate invalidates all certificates signed by it. For example, attempting to access https://rtionline.gov.in/, an Indian government portal for submitting right to information (RTI) requests, in Google Chrome or Internet Explorer will result in a security error because its certificate was issued by NIC and is no longer trusted.

Despite the security breach happening at NIC, Google holds India CCA responsible as well because NIC's CA operated under its authority.

"A root CA is responsible for all certificates issued under its authority," Langley said. "In light of this, in a future Chrome release, we will limit the India CCA root certificate to the following domains and subdomains thereof in order to protect users: gov.in, nic.in, ac.in, rbi.org.in, bankofindia.co.in, ncode.in, tcs.co.in," he said.

SSL certificates for any other domain names that chain back to India CCA will no longer be accepted in Chrome.

NIC is not the first government-run certificate authority to issue rogue certificates. In September 2013, a CA certificate owned by the Treasury department of the French Ministry of Finance was used to issue rogue certificates for several Google domain names. The incident was the result of human error.

In July 2011, a hacker broke into the infrastructure of DigiNotar, a certificate authority used by the Dutch government, and issued hundreds of rogue certificates for high-profile domains. DigiNotar filed for bankruptcy following the security breach.

Incidents like these have raised questions about the security and trustworthiness of the public key infrastructure (PKI) in which hundreds of certificate authorities operated by private and public organizations have the power to issue certificates for any domain on the Internet that would be trusted by most browsers and operating systems. Several technical solutions have been proposed to limit the possible impact of CAs being compromised, but none of them have been widely adopted so far.

Google Chrome has a feature called public-key pinning that only accepts pre-defined certificates for some high-profile domain names. This feature would have prevented the rogue Google certificates issued by NIC from being used against Chrome users, but the solution only protects a limited number of popular domains.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags securityMicrosoftGoogleYahooonline safetyintrusionpkiNational Informatics CentreIndian Ministry of Communications and Information Technology

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Cool Tech

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Breitling Superocean Heritage Chronographe 44

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?