Skip to main content

Investigation underway after Indian agency issues fake certificates to Google domains

The Indian Controller of Certifying Authorities (India CCA) has launched an investigation into the issue of unauthorized digital certificates to Google by the National Informatics Center Certifying Authority. Such a certificate could have been used to trick a service into thinking that a fake domain was legitimate.

In a blog post on its security blog, Google has stated that the unauthorized certificates were included in Microsoft's Root Store, meaning that a majority of Windows programs that use SSL would trust these certificates.

Exclusions include Firefox, which uses its own root store, and Chrome, which uses additional TLS/SSL security measures to safeguard users from unauthorized certificates. Furthermore, Google blocked these certificates in Chrome with a CRLSet push. Google also clarified that Chrome on other platforms, which include Chrome OS, Android, iOS and OS X was not affected as the Indian CCA certificates are not included in these root stores.

Google was in contact with the India CCA, which rolled out a subsequent CRLSet push to revoke the NIC certificates, rendering all NIC domains inaccessible. The NICAA has since ceased issuing digital certificates for the time being, and has the following message on its website:

Due to technical reasons, NICCA is not issuing certificates as of now. All operations have been stopped for some time and are not expected to resume soon. DSC application forms will not be accepted till operations are resumed and further instructions will be issued thereafter. Inconvenience caused is regretted.

Source: Google

Harish Jonnalagadda
Harish Jonnalagadda

Harish Jonnalagadda is a Senior Editor overseeing Asia at Android Central. He leads the site's coverage of Chinese phone brands, contributing to reviews, features, and buying guides. He also writes about storage servers, audio products, and the semiconductor industry. Contact him on Twitter at @chunkynerd.

  • K Posted from my Nexus 7 2013 running Android L or Samsung galaxy S5
  • This article makes it clear as mud as to whether certificates were issued to Google, or whether certificates for Google domains were issued to someone else, or whether certificates that say they are Google's certificates were issued to someone else.
  • Just like the article .... HUH?
  • Does this explain why I got "not a trusted site" and "bad ssl certificates" in google chrome and it blocks me from the sites? This happened a lot on normal sites I went to everyday and then just stopped letting me in. This happened to me all the time in windows xp, but barely happens now in windows 7. I had to do some reading why but never could find out why. But on Blocked pages, if you click the page with the mouse anywhere and type "proceed" and enter it will finally allow you in the site.