Google said today that it has blocked unauthorized digital certificates for a number of its domains issued by the National Informatics Centre of India.
The phony certificates could allow an attacker to spy on a connection thought to be secure.
NIC, Google said, holds intermediate CA certs trusted by the Indian government’s top CA, which are in the Microsoft Root Store and trusted by many applications running on Windows, including Internet Explorer and Google’s Chrome browser.
The discovery was made last Wednesday and within 24 hours, Google had issued a CRLSet to block the fraudulent certs in Chrome. CRLSets enable Chrome to block certificates in an emergency.
Google said that no other root stores include the certificates from the Indian CA, meaning that Chrome on Mac OS X, iOS, Android and other operating systems were not impacted.
“Additionally, Chrome on Windows would not have accepted the certificates for Google sites because of public-key pinning, although misissued certificates for other sites may exist,” said Google security engineer Adam Langley.
Langley added that Chrome users are protected by the CRL update.
“We have no indication of widespread abuse and we are not suggesting that people change passwords,” Langley said.
Google has advanced the security of its certificates in the past 12 months, starting with upgrading the strength of its SSL certs to 2048-bit RSA from 1024-bit. Longer key lengths make it more difficult for an attacker to crack the SSL connections that secure email, banking transactions and more. The decision was made a month ahead of the Snowden revelations, which cemented the NSA’s suspected interest in beating SSL.
In February at the TrustyCon event running simultaneously with the RSA Conference, Google announced its Certificate Transparency project, which provides a public log of digital certificates that have been issued. Google said that when implemented, the threats presented by misissued certificates or rogue certificate authorities could be mitigated. The problem, however, is that certificate authorities must cooperate and submit their certs to the public logs. To date, that hasn’t enjoyed broad adoption.
“We need to get the CAs to change their behavior so they emit certificates this way,” Chris Palmer, a security engineer on the Chrome team at Google, said in a talk at TrustyCon.