More Google Fraudulent Certificates

Bruce Morton

On July 2, Google became aware of fraudulent certificates that were incorrectly issued to Google-owned domain names. The certificates were issued by National Informatics Centre (NIC) of India, which is a subordinate certification authority (CA) to Indian Controller of Certifying Authorities (India CCA).

The miss-issued certificates could have been used to spoof content, perform phishing attacks or perform man-in-the-middle (MITM) attacks.

Any fraudulent activity would have limited. The India CCA root certificate is only trusted in Microsoft Windows. It is not permitted for use with Firefox, Android, Apple iOS or OS X. Further, for Google domains it would be detected in Chrome with Windows through public key pinning.

The following actions were taken to resolve the problem:

  • Google blocked the miss-issued certificates in their CRLSets
  • India CCA revoked the subordinate CA certificate issued to NIC. Google also blocked these revoked certificates
  • Microsoft updated their Certificate Trust List (CTL) to remove trust of the fraudulent certificates in Windows
  • Google, through a future Chrome release, will limit trust of the India CCA root to the following domain names: gov.in, nic.in, ac.in, rbi.org.in, bankofindia.co.in, ncode.in and tcs.co.in

Although the SSL industry has taken many measures to prevent fraudulent certificates from being issued, we see that it can still happen. When preventative measures do not work, it is argued that a monitoring system is required to allow domain owners to detect when a certificate has been issued for their domain names.

The monitoring system at the forefront is called Certificate Transparency (CT), which Google is pushing to be deployed. We will address CT in a future blog post.

Bruce Morton
Bruce Morton
Director, Certificate Technology & Standards

Bruce Morton has worked in the public key infrastructure and digital certificate industry for more than 15 years and has focused on SSL and other publicly trusted certificates since 2005. He has been an active member of the CA/Browser Forum that released guidelines for extended validation (EV) certificates and Baseline Requirements for SSL certificates. Bruce oversees the governance and compliance of Entrust’s publicly trusted PKI.

1 Comment

Add to the Conversation