ID: IRCNE2014072250
Date: 2014-07-12
According to “ZDNet”, Last week Google became aware of fake Google domains issued by the National Informatics Centre (NIC) of India, which holds several intermediate CA certificates trusted by the Indian Controller of Certifying Authorities (India CCA).
According to Google security engineer Adam Langley, users of Chrome and other Google products were not in danger of being spoofed by these domains. But the India CCA is included in the Microsoft trusted root store, which means that most Windows programs that use SSL would, by default, trust the certificates.
Google immediately notified the Indian NIC and CCA as well as Microsoft. Microsoft has revoked the NIC's certificate. A notice on the India CCA home page says "Due to security reasons 3 CA Certificates issued to NICCA have been suspended and the corresponding CRLs have been updated for this purpose. Further updation [sic] will be notified."
Langley goes on to describe the additional TLS/SSL security measures used by Google that protected users from these certificates. As a result, illustrated in the error messages below, the NIC and certificates issued by it are now untrusted.
The India CCA certificates were not in the other major trusted root stores (Apple, Firefox, Chrome OS, and Android), so those systems did not trust them to begin with. Chrome users on Windows were protected by default by certificate pinning, which specifically protects Google domains. Google has also updated their CRLSets to block the false domains.
- 2