Google catches India with fake certificates, invokes controversial ‘CRLSets’

Google has caught and blocked unauthorised digital certificates for several Google domains that were issued by a unit in India’s Ministry of Communications and Information Technology.
Google has warned of a potentially serious security and privacy threat affecting only Windows users thanks to mis-issued secure sockets layer (SSL) certificates that could allow an attacker to snoop on encrypted communications between a user’s device and a secure HTTPS website.

According to Google security engineer Adam Langley, on Wednesday July 2, Google discovered that India’s (NIC) had issued rogue SSL certificates for “several Google domains”.

It’s the second high-profile incident of a government intermediate certificate authority caught issuing rogue SSL certificates since December, when Google announced that a French agency had issued rogue certificates for several of its domains.

NIC holds “several intermediate CA certificates” that are trusted by the Indian Controller of Certifying Authorities (CCA), which governs India’s root certifying authority (CA). Root CAs bestow trust that web browsers place in them to intermediate certificates. These lower-level certificates can also create their own certificates, which an attacker could use to impersonate any website they wish to.

However, because NIC’s certificates are tied to CCA’s, the rogue certificates in this case only impact applications on Windows systems, according to Langley.

“The India CCA certificates are included in the Microsoft Root Store and thus are trusted by the vast majority of programs running on Windows, including Internet Explorer and Chrome. Firefox is not affected because it uses its own root store that doesn’t include these certificates.”

Unlike Firefox, Chrome relies on the root certificate store of Windows and Apple OS X -- in other words, the operating system. And in the case of Linux, Chrome uses the Mozilla Network Security Services library to perform certificate verification.

A Microsoft spokesperson told that it was aware of the NIC issue. 
“We are aware of the mis-issued third-party certificates and we have not detected any of the certificates being issued against Microsoft domains. We are taking the necessary precautions to help ensure that our customers remain protected,” a Microsoft spokesperson said in a statement.

Google invokes CRLSet to block rogue certificates

Google’s method of blocking the rogue certificates is likely to stir up tensions in the CA community, which doesn’t like the fact Google is forging its own path to blocking rogue certificates. 

As Langley notes, Google blocked the rogue certificates in Chrome with a “CRLSet push” -- a custom Chrome function that Google reserves for “emergency situations” when it wants to revoke a certificate.

“On July 3, India CCA informed us that they revoked all the NIC intermediate certificates, and another CRLSet push was performed to include that revocation,” wrote Langley.

“Chrome users do not need to take any action to be protected by the CRLSet updates. We have no indication of widespread abuse and we are not suggesting that people change passwords.”

Following the Heartbleed OpenSSL vulnerability disclosure, the CA Security Council criticised Google’s CRLSets — certificate revocation lists — for breaking away from the CA industry’s preferred protocol for handling certificate revocation, called Online Certificate Status Protocol (OCSP), which is still supported by Microsoft and Apple.

Read more: Portal targets large-scale risk management on Internet of Things

The council said Google was cherry-picking ‘high-profile” certificates that should not be trusted, claiming that while OCSP wasn’t perfect it could still be valuable and should be recognised by Chrome.  

“Even if revocation checking by OCSP isn’t 100 percent accurate, it can still protect a high percentage of users who navigate to a site with a revoked certificate and receive an OCSP response indicating revocation. Turning off revocation checking for everyone means that no one is protected,” the CA Security Council said.


Follow Liam Tung on Twitter 

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Join the CSO newsletter!

Error: Please check your email address.

Tags India Ministry of Communications and information Technologydigital certificatesCA SecurityMicrosoft root storechromeprivacythreatrogue certificatesAdam LangleyGooglesecurityfake certificates

More about AppleApple.CSOEnex TestLabGoogleLinuxMicrosoftMozillaNICTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place