On July 2, Google became aware of fraudulent certificates that were incorrectly issued to Google-owned domain names. The certificates were issued by National Informatics Centre (NIC) of India, which is a subordinate certification authority (CA) to Indian Controller of Certifying Authorities (India CCA).
The miss-issued certificates could have been used to spoof content, perform phishing attacks or perform man-in-the-middle (MITM) attacks.
Any fraudulent activity would have limited. The India CCA root certificate is only trusted in Microsoft Windows. It is not permitted for use with Firefox, Android, Apple iOS or OS X. Further, for Google domains it would be detected in Chrome with Windows through public key pinning.
The following actions were taken to resolve the problem:
- Google blocked the miss-issued certificates in their CRLSets
- India CCA revoked the subordinate CA certificate issued to NIC. Google also blocked these revoked certificates
- Microsoft updated their Certificate Trust List (CTL) to remove trust of the fraudulent certificates in Windows
- Google, through a future Chrome release, will limit trust of the India CCA root to the following domain names: gov.in, nic.in, ac.in, rbi.org.in, bankofindia.co.in, ncode.in and tcs.co.in
Although the SSL industry has taken many measures to prevent fraudulent certificates from being issued, we see that it can still happen. When preventative measures do not work, it is argued that a monitoring system is required to allow domain owners to detect when a certificate has been issued for their domain names.
The monitoring system at the forefront is called Certificate Transparency (CT), which Google is pushing to be deployed. We will address CT in a future blog post.