The Indian Controller of Certifying Authorities said that the certificate-issuance process for the National Informatics Centre of India, which issued several fraudulent certificates recently, which were blocked by Google, has been compromised and Google has decided to constrain India CCA’s root certificate to a handful of domains in a future Chrome release.
Google’s security team on July 2 noticed that there were fraudulent certificates for several Google domains in circulation. The company looked into the incident and found that the certificates were issued by NIC and were in the Microsoft Root Store. Google blocked the certificates and alerted NIC, India CCA and Microsoft about the problem. India CCA started an investigation into the incident and on Wednesday the organization told Google that it found the NIC issuance process was compromised.
More worryingly, though, is that it doesn’t appear that the entire scope of the compromise is clear at this point.
“India CCA informed us of the results of their investigation on July 8. They reported that NIC’s issuance process was compromised and that only four certificates were misissued; the first on June 25. The four certificates provided included three for Google domains (one of which we were previously aware of) and one for Yahoo domains. However, we are also aware of misissued certificates not included in that set of four and can only conclude that the scope of the breach is unknown,” Adam Langley, a security engineer at Google, said in an update to the company’s post on the incident.
As a result of this, Google officials said they will limit the number of domains and subdomains that India CAA’s root certificate can be used for. In a forthcoming release of the Chrome browser, Google will constrain the India CCA root certificate to these domains:
This is far from the first time that incorrectly or fraudulently issued certificates have turned up and caused problems for browser vendors and users. Researchers at Google and other companies have identified such problems several times in the past, some of which have stemmed from compromises at certificate authorities such as DigiNotar, Comodo and others.
Microsoft also has released an advisory on this issue and says that it is pushing out an update to its Certificate Trust List that will address the problem for most Windows users.
“To help protect customers from potentially fraudulent use of this digital certificate, Microsoft is updating the Certificate Trust list (CTL) for all supported releases of Microsoft Windows to remove the trust of certificates that are causing this issue,” the advisory says.