Beware of Google domains bearing gifts – especially gifts from India.
On Tuesday, Google’s Adam Langley took to the company’s security blog to warn about unauthorized digital certificates that have been issued by India’s National Informatics Centre (NIC) and used to vouch for “several Google domains.”
Google notified the NIC, as well as India’s Controller of Certifying Authorities (or CCA) and Microsoft about the discovery and the certificates have been revoked, Langley said.
As Cory Doctorow noted over at BoingBoing.net, most operating system vendors and browser makers don’t trust NIC-issued certificates as a matter of course. However, NIC holds intermediate CA (certificate authority) certificates that are trusted by India’s CCA, and CCA-trusted certificates are included in Microsoft’s Root Store, meaning applications running on Windows as well as Microsoft’s Internet Explorer web browser would have trusted the bogus NIC certificates. Google said that Chrome users on Windows would not have been victims of the bogus Google domains, because Google uses Public Key Pinning. Chrome users on non-Windows platforms would have also been spared. The Mozilla Foundation, also, does not accept NIC-issued certificates, so Firefox users would not have been affected.
False certificates can be used in a variety of ways. Most obviously: they can be used to intercept and snoop on web traffic to a legitimate domain or web-based services like Google Docs or Gmail.
False certificates have also been used in malware campaigns to “sign” malicious software, making it seem as if it comes from a legitimate publisher. Writing on Tuesday, Langley said Google did not detect “widespread abuse” and didn’t recommend that users change their passwords.
According to Langley, Google blocked the certificates in Chrome with a CRLSet push and, on July 3, India CCA informed us that they revoked all the NIC intermediate certificates, and another CRLSet push was performed to include that revocation.
After a number of high-profile lapses and security compromises at certificate authorities and other trusted parties, Google launched a Certificate Transparency program in 2012. It is a platform for detecting and reporting SSL certificates that have been mistakenly- or maliciously issued by a certificate authority or certificates that have been stolen from a legitimate certificate authority and are being used for malicious ends.
Read more about the India certificates issue here: Google Online Security Blog: Maintaining digital certificate security.