New Delhi, July 15: An Indian government agency that issues digital certificates that help authenticate websites has assigned at least four certificates to entities that were not who or what they claimed to be, triggering global security advisories for Internet users.
Computer security experts say such inappropriately assigned digital certificates represent a serious breach of protocol as they may be used to create fake websites masquerading as real ones, extract sensitive data such as passwords or credit card details, or eavesdrop on chat between two computers.
The late-June incident, detected in early July, has prompted Google and Microsoft to issue security advisories, alerting Internet users that India’s National Informatics Centre (NIC) had issued unauthorised certificates.
There is no evidence so far of any widespread abuse of the improperly issued certificates. In an online security blog, Adam Langley, a Google security engineer, said Google was not suggesting that people change their passwords.
India’s Controller of Certifying Authorities (CCA), the agency that authorises a few trusted entities to issue digital certificates, told Google on July 8 that an investigation had found that the process of issuing certificates had been compromised.
It said that four certificates had been “mis-issued” — three for Google domains and one for a Yahoo domain — the first on June 25.
But Google has said it is aware of mis-issued certificates that are not part of this set of four. Langley, writing in his online security blog, has said Google can only conclude that “the scope of the breach is unknown”.
“A compromise of the certificate-issuing process is a serious matter,” said Dheeraj Sanghi, a professor of computer science and engineering at the Indian Institute of Technology, Kanpur, who specialises in computer security among other fields.
A digital certificate is the primary means to verify the authenticity of websites — a critical assumption during online transactions such as purchasing air tickets, ordering clothes, or accessing bank accounts.
An improperly issued digital certificate could be used to extract sensitive or proprietary information without raising any security alarm, said Sanjit Chatterjee, an assistant professor of computer science at the Indian Institute of Science, Bangalore.
“Suppose you’re doing an online transaction through the website of an organisation A. Your (web) browser checks the certificate of the website to ensure the authenticity,” Chatterjee told The Telegraph.
“But an improperly issued certificate could be used by a malicious party B to fool your browser into believing that it is communicating with the authentic website A, and not with the malicious one B.”
The certifying authority — the NIC, in this instance — plays a key role in the authentication and is particularly trusted not to issue a false or mistaken certificate. “This trust has been breached in this incident,” Chatterjee said.
“What is particularly surprising is the apparent inconsistency in the scope of the breach,” Sanghi told this newspaper.
While the CCA has admitted to four improper certificates, Google has said it knows about others. “This suggests that either the CCA is unaware about the other breaches or is not saying anything about them,” said Dheeraj Sanghi, a professor of computer science and engineering at IIT Kanpur.
Both the CCA and the NIC are divisions in the department of electronics and information technology under the ministry of communications and information technology.
Senior officials at the CCA did not respond to email queries sent by this newspaper seeking details of the circumstances under which the improper certificates had been issued.
The NIC is intended to provide digital certificates exclusively to government entities. Computer security analysts say the wrongly issued certificates to Google and Yahoo domains suggest that this was an intentional malicious act.
Two senior officials with the Indian Computer Emergency Response Team who are familiar with the case declined to discuss the subject saying they were not authorised to speak to the media. The emergency response team, which functions under the same ministry, is mandated to investigate computer security-related incidents.
Both Google and Microsoft have announced sets of responses. In its July 10 security advisory, Microsoft said an attacker could “use these certificates to spoof content, perform phishing attacks, or perform man-in-the-middle attacks” against certain web properties.
Microsoft said that while the issue did not result from any Microsoft product, it was nevertheless updating a Certificate Trust List (CTL) — a list of trusted entities — and providing an update to help protect customers.
The company also said it would “continue to investigate this issue and may make future changes to the CTL or release a future update to protect customers”.
Google has blocked the mis-issued certificates in Chrome and has also announced that in a future Chrome release, it would limit the India CCA root certificate to specific sets of domains to protect users.