Pierluigi Paganini July 10, 2014

Google Security experts have detected and blocked unauthorized digital certificates for a number of its domains issued by the NIC of India.

Google announced to have blocked unauthorized digital certificates for different of its domains issued by the National Informatics Centre of India, which holds several intermediate CA certificates trusted by the Indian Controller of Certifying Authorities (India CCA).

Last week, the Google security team observed some unauthorized certificates on some of Google domains and immediately it has triggered the alert, the unauthorized digital certificates could be used for cyber espionage, an attacker could use them to access traffic on a connection considered secure by the victims.

The use of an SSL digital certificate allows the creation of an encrypted channel between two parties, internet users seeing the SSL padlock in their browser believe that they are surfing over a secure (encrypted) link to the website and that the website displaying the padlock is a valid and legitimate organization.

For the above reason an attacker could steal a digital certificate or anyway abusing of a PKI infrastructure. An SSL Certificate issued by trusted Certificate authorities is normally used to authenticate among users and visitors with its effective encrypted connections. The India CCA certificates are included in the Microsoft Root Store and thus are trusted by the vast majority of programs running on Windows OS. The worrying aspect of the alert launched by the Google is that the majority of western companies ordinarily uses intermediate Certificates issued by India CCA.

Giving a look to the most popular web browsers it is possible to verify that Google Chrome and IE Explorer use the Microsoft Root Store while Firefox uses its own root store and for this reason in not affected in the specific case.

“We are not aware of any other root stores that include the India CCA certificates, thus Chrome on other operating systems, Chrome OS, Android, iOS and OS X are not affected. Additionally, Chrome on Windows would not have accepted the certificates for Google sites because of public-key pinning, although misissued certificates for other sites may exist. We promptly alerted NIC, India CCA and Microsoft about the incident, and we blocked the misissued certificates in Chrome with a CRLSet push.” reported Adam Langley, Security Engineer at Google

Google immediately informed the CCA, Microsoft and NIC on the use of unauthorized digital certificates while the India CCA is still investigating this incident.

Google is very active in the prevention of any abuse of stolen or unauthorized digital certificates, the company in February during the TrustyCon event presented its Certificate Transparency project, a sort of a public register of digital certificates that have been issued.

“Specifically, Certificate Transparency makes it possible to detect SSL certificates that have been mistakenly issued by a certificate authority or maliciously acquired from an otherwise unimpeachable certificate authority. It also makes it possible to identify certificate authorities that have gone rogue and are maliciously issuing certificates.” states the official page of the project.

Unfortunately still many certificate authorities aren’t providing to the public logs.

Pierluigi Paganini

Security Affairs –  (Digital certificate, Google)