Pierluigi Paganini
July 10, 2014
Google announced to have blocked unauthorized digital certificates for different of its domains issued by the National Informatics Centre of India, which holds several intermediate CA certificates trusted by the Indian Controller of Certifying Authorities (India CCA).
Last week, the Google security team observed some unauthorized certificates on some of Google domains and immediately it has triggered the alert, the unauthorized digital certificates could be used for cyber espionage, an attacker could use them to access traffic on a connection considered secure by the victims.
The use of an SSL digital certificate allows the creation of an encrypted channel between two parties, internet users seeing the SSL padlock in their browser believe that they are surfing over a secure (encrypted) link to the website and that the website displaying the padlock is a valid and legitimate organization.
For the above reason an attacker could steal a digital certificate or anyway abusing of a PKI infrastructure. An SSL Certificate issued by trusted Certificate authorities is normally used to authenticate among users and visitors with its effective encrypted connections. The India CCA certificates are included in the Microsoft Root Store and thus are trusted by the vast majority of programs running on Windows OS. The worrying aspect of the alert launched by the Google is that the majority of western companies ordinarily uses intermediate Certificates issued by India CCA.
Giving a look to the most popular web browsers it is possible to verify that Google Chrome and IE Explorer use the Microsoft Root Store while Firefox uses its own root store and for this reason in not affected in the specific case.
“We are not aware of any other root stores that include the India CCA certificates, thus Chrome on other operating systems, Chrome OS, Android, iOS and OS X are not affected. Additionally, Chrome on Windows would not have accepted the certificates for Google sites because of public-key pinning, although misissued certificates for other sites may exist. We promptly alerted NIC, India CCA and Microsoft about the incident, and we blocked the misissued certificates in Chrome with a CRLSet push.” reported Adam Langley, Security Engineer at Google
Google immediately informed the CCA, Microsoft and NIC on the use of unauthorized digital certificates while the India CCA is still investigating this incident.
“Due to security reasons NICCA is not issuing certificates as of now. All operations have been stopped for some time and are not expected to resume soon. DSC application forms will not be accepted till operations are resumed and further instructions will be issued thereafter. Inconvenience caused is regretted.” NIC reported on its website.
“We have no indication of widespread abuse and we are not suggesting that people change passwords,” Langley said.
Google is very active in the prevention of any abuse of stolen or unauthorized digital certificates, the company in February during the TrustyCon event presented its Certificate Transparency project, a sort of a public register of digital certificates that have been issued.
“Specifically, Certificate Transparency makes it possible to detect SSL certificates that have been mistakenly issued by a certificate authority or maliciously acquired from an otherwise unimpeachable certificate authority. It also makes it possible to identify certificate authorities that have gone rogue and are maliciously issuing certificates.” states the official page of the project.
Unfortunately still many certificate authorities aren’t providing to the public logs.
Security Affairs – (Digital certificate, Google)
