Investigation underway after Indian agency issues fake certificates to Google domains
The Indian Controller of Certifying Authorities (India CCA) has launched an investigation into the issue of unauthorized digital certificates to Google by the National Informatics Center Certifying Authority. Such a certificate could have been used to trick a service into thinking that a fake domain was legitimate.
In a blog post on its security blog, Google has stated that the unauthorized certificates were included in Microsoft's Root Store, meaning that a majority of Windows programs that use SSL would trust these certificates.
Exclusions include Firefox, which uses its own root store, and Chrome, which uses additional TLS/SSL security measures to safeguard users from unauthorized certificates. Furthermore, Google blocked these certificates in Chrome with a CRLSet push. Google also clarified that Chrome on other platforms, which include Chrome OS, Android, iOS and OS X was not affected as the Indian CCA certificates are not included in these root stores.
Google was in contact with the India CCA, which rolled out a subsequent CRLSet push to revoke the NIC certificates, rendering all NIC domains inaccessible. The NICAA has since ceased issuing digital certificates for the time being, and has the following message on its website:
Source: Google
Be an expert in 5 minutes
Get the latest news from Android Central, your trusted companion in the world of Android
Harish Jonnalagadda is Android Central's Senior Editor of Asia. In his current role, he oversees the site's coverage of Chinese phone brands, networking products, and AV gear. He has been testing phones for over a decade, and has extensive experience in mobile hardware and the global semiconductor industry. Contact him on Twitter at @chunkynerd.