On Tuesday, July 8 Google reported the discovery of unauthorized digital certificates for several Google domains. The certificates were issued by India’s National Informatics Centre (NIC), which has several intermediate certificates trusted under the Indian Controller of Certifying Authorities (India CCA) root certificate. India CCA certificates are trusted by most programs running Windows—including Internet Explorer and Chrome—because India CCA’s roots are included in the Microsoft root store. Firefox and Safari use their own root stores and do not trust the certificates by default.
Upon discovery, Google alerted NIC, India CCA, and Microsoft about the incident and blocked the misissued certificates in Chrome. The day after the discovery, India CCA revoked the NIC intermediate certificates and Google added the certificates to their CRLSets. Google also announced that it would limit the trust of Indian CCA roots to just seven domains.
Shortly after the announcement, Microsoft stated that they were aware of the issue and updated the Certificate Trust List for all supported releases of Windows to remove the trust of the misissued certificates. Additionally, Microsoft said they are not aware of any active attacks against its domains, and, according to Google’s Adam Langley, there is no indication of widespread abuse.
One new industry development that would have provided earlier detection of the misissued certificates is Google’s proposed Certificate Transparency (CT) project. CT provides insight into each certificate issued by a CA, alerting affected entities immediately after the certificate’s issuance. DigiCert was among the first to recognize the importance of providing this information to domain owners and welcomes CT as one potential way to increase industry transparency. DigiCert already offers Certificate Transparency to our customers and is continuing to help advance Certificate Transparency deployment and adoption ahead of the implementation timelines that were already announced by Google.
Another way to improve online trust is to ensure that all CAs follow best practices. CAs should continue to refine existing standards and recommendations produced in bodies such as the CA/Browser Forum, CA Security Council, and Internet Engineering Task Force (IETF). We stand together with security-concerned Internet citizens to support the many initiatives introduced that are designed to improve the industry, including Certificate Authority Authorization (CAA) and OCSP Stapling/MUST STAPLE. DigiCert will continue to work vigorously with these bodies to advance requirements and guidelines for secure CA operations—which are enforceable by globally accepted auditing organizations and the root store operators.
The rogue certificates issued by the NIC demonstrate the need for regional CAs to be held to the same standard as globally trusted CAs and audited against current standards by accredited and reliable auditing entities.
Online trust is essential in today’s connected world and it takes a collaborative effort to optimize it. DigiCert is working hard every day to earn the trust of our customers and enhance internet security alongside many other community participants.