NIC India issues digital certificates for Google domains

On July 2, Google discovered several fake digital certificates for its domains issued by the National Certificate Authority (NIC) of India. There is a possibility that the NIC issued certificates to other sites, not Google.

NIC certificates in India are part of the Indian Controller of Certifying Authorities (India CCA) directory, which is part of the Microsoft Root Store root directory . Therefore, unfortunately, fake certificates were accepted in a large number of programs for Windows, including Internet Explorer and Chrome browsers. Only Firefox uses its own root directory, not the Microsoft Root Store.

Chrome on other operating systems, including Chrome OS, Android, iOS, and OS X, is not vulnerable. Moreover, specifically for Google sites, it would not accept fake certificates under Windows either, because several years ago, after well-known incidents with CA, Google began to compose its own directory and “binds” its certificates to Chrome ( certificate pinning function ).

Google has notified the incident of India NIC, India CCA and Microsoft. India CCA revoked certificates on July 3 and launched an investigation into the incident.

Fake certificates were issued in past years, including intentionally for carrying out MiTM-attacks commissioned by national governments of several countries. Such certificate spoofing is very difficult to detect on the server side. In fact, there is no completely reliable way to do such a check. In this case, the fake was noticed, one might say, by chance - thanks to the mentioned certificate pinning function for Google sites.

Chrome users don’t need to take extra action to protect themselves. However, this incident once again draws attention to the importance of improving the security of the CA system in the future. For example, you can use a global database with public certificates with which the browser will be checked.