|
|
Google has identified and blocked unauthorized digital certificates for a number of its domains issued by the National Informatics Centre (NIC) of India, a unit of India’s Ministry of Communications and Information Technology.
National Informatics Center (NIC) holds several intermediate
Certification Authority (CA) certs trusted by the Indian government’s
top CA, Indian Controller of Certifying Authorities (India CCA), which
are included in the Microsoft Root Store and so are trusted by a large
number of applications running on Windows, including Internet Explorer
and Chrome.
The use of rogue digital certificates could result in a potentially serious security and privacy threat that could allow an attacker to spy on an encrypted communication between a user’s device and a secure HTTPS website, which is thought to be secure.
Google became aware of the fake certificates last Wednesday on July 2
and within 24 hours, the Indian Controller of Certifying Authorities
(India CCA) revoked all the NIC intermediate certificates and also
issued a CRLSet to block the fraudulent certificates in Chrome. CRLSets
enable Chrome to block certificates in an emergency.
The search engine giant believes that no other root stores include the
Indian CCA certificates, which means that Chrome on any other operating
systems, Chrome OS, Android, iOS and OS X were not affected.
“Additionally, Chrome on Windows would not have accepted the certificates for Google sites because of public-key pinning, although misused certificates for other sites may exist,” said Google security engineer Adam Langley.
Langley added that “Chrome users do not need to take any action to be protected by the CRLSet updates. We have no indication of widespread abuse and we are not suggesting that people change passwords.”
It’s the second high-profile incident of a government agency caught
issuing fake SSL certificates since December, when Google revoked trust
for a digital certificate for several of its domains, mistakenly signed
by a French government intermediate certificate authority.
Google has taken many measures to advance the security of its
certificates, as SSL certificates are still one of the core elements of
online security and still, since hundreds of entities issue
certificates, it makes the company difficult to identify fake certs that
aren’t following proper procedures.
One such measure is Google’s recently launched Certificate Transparency
project, which provides an open framework for monitoring and auditing
SSL certificates in nearly real time. Specifically, Certificate
Transparency makes it possible to detect SSL certificates that have been
mistakenly issued by a certificate authority or maliciously acquired
from an otherwise unimpeachable certificate authority.
DigiCert was one of the first Certificate Authority’s to implement
Certificate Transparency after working with Google for a year to pilot
the project.
Google also upgraded its SSL certificates from 1024-bit to 2048-bit RSA
to make them more secure and unbreakable. Because longer key length
would make it even more difficult for a cyber criminal to break the SSL
connections that secure your emails, banking transactions and many more.
0 comments:
Post a Comment