The scope of a recent security breach at a digital certificate authority (CA) controlled by the Indian government is bigger than initially thought and also targeted domain names owned by Yahoo, in addition to several owned by Google.
Google said Tuesday that a week earlier it detected several certificates for Google domain names that had been issued without authorization by the National Informatics Centre (NIC), a branch of the Indian Ministry of Communications and Information Technology.
Certificate authorities are supposed to only issue digital certificates to the owners of the domain names for which they are requested. That's because in the hands of attackers rogue certificates can be used to impersonate legitimate websites and snoop on the encrypted communications of users who connect to those sites if their connections are intercepted en route.
As a CA, NIC was subordinated to India's Controller of Certifying Authorities (India CCA), a certificate authority included in the Microsoft Root Store and trusted by default by the majority of programs that run on Windows, including Google Chrome and Internet Explorer. Mozilla Firefox wasn't affected by the incident because it maintains its own root store that didn't include India CCA. Web browsers running on Linux, Android or Mac OS X were not affected either.
It wasn't clear initially whether NIC issued the rogue certificates for Google's domain names as a result of human error or a security breach, but an investigation by India CCA pointed to the latter.
India CCA "reported that NIC's issuance process was compromised and that only four certificates were misissued; the first on June 25," Google security engineer Adam Langley said Wednesday in an update to his original blog post about the issue. Of the four certificates wrongly issued by NIC and identified by India CCA, three were for Google domain names and one was for domains belonging to Yahoo, Langley said.
India CCA and NIC did not immediately respond to an inquiry seeking more information about how the breach occurred and its impact.
According to Langley, Google is aware of more rogue certificates issued by NIC aside from the four mentioned by India CCA. As a result the company "can only conclude that the scope of the breach is unknown," he said.
NIC's own CA certificates have been revoked by India CCA following the compromise and the organization has a notice on its website that reads: "Due to security reasons NICCA [NIC Certifying Authority] is not issuing certificates as of now. All operations have been stopped for some time and are not expected to resume soon."
The revocation has affected Indian government websites with SSL certificates issued by NIC, because revoking a CA certificate invalidates all certificates signed by it. For example, attempting to access https://rtionline.gov.in/, an Indian government portal for submitting right to information (RTI) requests, in Google Chrome or Internet Explorer will result in a security error because its certificate was issued by NIC and is no longer trusted.
Sign up for CIO Asia eNewsletters.