Feeds

FAKE Google web SSL certificates tip-toe out from Indian authorities

Could go through root stores like a bad biryani

Next gen security for virtualised datacentres

Google is warning that dodgy SSL certificates have been issued by India's National Informatics Centre (NIC): these certs can be used by servers to masquerade as legit Google websites and eavesdrop on or tamper with users' encrypted communications.

According to this blog post by Google's security team, the Googlers noticed unauthorized certificates for several Google domains popped up last Wednesday – and traced them back to NIC.

What's concerning is the issuer holds several intermediate CA certificates that are trusted by the Indian Controller of Certifying Authorities (India CCA) and also some Western companies.

"The India CCA certificates are included in the Microsoft Root Store and thus are trusted by the vast majority of programs running on Windows, including Internet Explorer and Chrome. Firefox is not affected because it uses its own root store that doesn't include these certificates," said Google security engineer Adam Langley.

"We are not aware of any other root stores that include the India CCA certificates, thus Chrome on other operating systems, Chrome OS, Android, iOS and OS X are not affected. Additionally, Chrome on Windows would not have accepted the certificates for Google sites because of public-key pinning, although mis-issued certificates for other sites may exist."

Google engineers alerted both Indian agencies and Microsoft about the problem, and the fake certificates were revoked a day later. In the meantime Google has revoked all the certificates using Chrome's CRLSet function and says its products are in the clear; it appears Microsoft users are now also covered.

"We are aware of the mis-issued third-party certificates and we have not detected any of the certificates being issued against Microsoft domains," a Redmond spokesperson told The Register. "We are taking the necessary precautions to help ensure that our customers remain protected."

The India CCA is now running a full investigation to determine exactly what happened to lead to the certificates being issued, but it's not the first time that certification authorities have either been tricked into issuing dodgy certificates, or hacked to do so. Neither possibility reassures F-Secure's Mikko Hypponen. ®

The essential guide to IT transformation

More from The Register

next story
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
e-Borders fiasco: Brits stung for £224m after US IT giant sues UK govt
Defeat to Raytheon branded 'catastrophic result'
Chinese hackers spied on investigators of Flight MH370 - report
Classified data on flight's disappearance pinched
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
Think crypto hides you from spooks on Facebook? THINK AGAIN
Traffic fingerprints reveal all, say boffins
prev story

Whitepapers

A new approach to endpoint data protection
What is the best way to ensure comprehensive visibility, management, and control of information on both company-owned and employee-owned devices?
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Maximize storage efficiency across the enterprise
The HP StoreOnce backup solution offers highly flexible, centrally managed, and highly efficient data protection for any enterprise.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.