Google catches Indian Government Agency with Fake Digital Certificates

Google has identified and blocked unauthorized digital certificates for a number of its domains issued by the National Informatics Centre (NIC) of India, a unit of India’s Ministry of Communications and Information Technology.

National Informatics Center (NIC) holds several intermediate Certification Authority (CA) certs trusted by the Indian government’s top CA, Indian Controller of Certifying Authorities (India CCA), which are included in the Microsoft Root Store and so are trusted by a large number of applications running on Windows, including Internet Explorer and Chrome.

The use of rogue digital certificates could result in a potentially serious security and privacy threat that could allow an attacker to spy on an encrypted communication between a user’s device and a secure HTTPS website, which is thought to be secure.

It’s the second high-profile incident of a government agency caught issuing fake SSL certificates since December, when Google revoked trust for a digital certificate for several of its domains, mistakenly signed by a French government intermediate certificate authority.

Google has taken many measures to advance the security of its certificates, as SSL certificates are still one of the core elements of online security and still, since hundreds of entities issue certificates, it makes the company difficult to identify fake certs that aren’t following proper procedures.

One such measure is Google’s recently launched Certificate Transparency project, which provides an open framework for monitoring and auditing SSL certificates in nearly real time. Specifically, Certificate Transparency makes it possible to detect SSL certificates that have been mistakenly issued by a certificate authority or maliciously acquired from an otherwise unimpeachable certificate authority. 

DigiCert was one of the first Certificate Authority’s to implement Certificate Transparency after working with Google for a year to pilot the project.

Google also upgraded its SSL certificates from 1024-bit to 2048-bit RSA to make them more secure and unbreakable. Because longer key length would make it even more difficult for a cyber criminal to break the SSL connections that secure your emails, banking transactions and many more.