Slashdot Mirror

← Back to Stories (view on slashdot.org)

India's National Informatics Centre Forged Google SSL Certificates

Posted by timothy on from the who-can-you-trust? dept.

NotInHere (3654617) writes As Google writes on its Online Security Blog, the National Informatics Centre of India (NIC) used its intermediate CA certificate, issued by Indian CCA, to issue several unauthorized certificates for Google domains, allowing it to do Man in the middle attacks. Possible impact however is limited, as, according to Google, the root certificates for the CA were only installed on Windows, which Firefox doesn't use — and for the Chrom{e,ium} browser, the CA for important Google domains is pinned to the Google CA. According to its website, the NIC CA has suspended certificate issuance, and according to Google, its root certificates were revoked by Indian CCA.

19 of 107 comments (clear)

  1. Repercussions? by Anonymous Coward · · Score: 3, Interesting

    Will there be any repercussions for this?

    The National Informatics Centre of India did abuse something.
    Will the National Informatics Centre of India be able to continue with such abuses and do this again in the future?
    Or will they lose this ability?

    What will happen now?

    They have shown that they can not be trusted. They must lose the power to do this.

    Pull someones certificates or kill some CA. Someone needs to suffer because of this.

    1. Re:Repercussions? by Z00L00K · · Score: 4, Insightful

      This yet again highlights that the three-party trust system is broken.

      There are ways around it, but there is no great solution - only workarounds.

      --
      If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
    2. Re:Repercussions? by INT_QRK · · Score: 3, Interesting

      “Power attracts the corruptible. Suspect any who seek it.” Frank Herbert, Chapterhouse: Dune

    3. Re:Repercussions? by IamTheRealMike · · Score: 2

      They have shown that they can not be trusted. They must lose the power to do this.

      Pull someones certificates or kill some CA. Someone needs to suffer because of this.

      What happens now is that there's an investigation. Depending on the outcome the CA may be revoked for good, or merely forced to reissue lots of certificates. The deciding factor is the reason for the screwup - for instance they may have got hacked, rather than been actively corrupt. In that case Microsoft will have to decide if they have patched things up enough to continue as part of their root store program or whether to pull the plug. I doubt many people have certs issued by this CA so the damage would be relatively minimal.

      Unfortunately you can't just kill any CA that screws up. For one, if the CA was widely used it'd be disrupted. For another, nothing is unhackable, especially when you get the NSA involved. Expecting CA's to be able to reliably fight off professional hackers from dozens of governments and never ever fail is likely an impossible standard to ever meet.

      Hard decisions ahead for browser and OS makers for sure ...

    4. Re:Repercussions? by BitZtream · · Score: 2

      Expecting CA's to be able to reliably fight off professional hackers from dozens of governments and never ever fail is likely an impossible standard to ever meet.

      Yet that is exactly what they are supposed to do. Its not even really that hard.

      Every CA hack to date has been preventable as was the fault of the CA simply not putting the required effort into doing their job or being flat out malicious. Stop trying to make it out like its an uber hard job, its not.

      --
      Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
  2. Who do they think they are? by Required+Snark · · Score: 5, Funny

    The NSA?

    --
    Why is Snark Required?
  3. All about trust by Himmy32 · · Score: 2

    The whole point of issuing certs is to be a trusted third party. No one is going accept a cert from them again. They should know better.

    1. Re:All about trust by currently_awake · · Score: 2

      So how much money or jail time for Fraud and Impersonation? Oh right, it's ok when a government does it. And you can't complain to Uncle Sam as that would disrupt your business in that country.

    2. Re:All about trust by gstoddart · · Score: 5, Insightful

      So how much money or jail time for Fraud and Impersonation? Oh right, it's ok when a government does it. And you can't complain to Uncle Sam as that would disrupt your business in that country.

      And, really, if the US is saying it's their right to tap into anything they want to ... how is it different when India does it?

      India already forced BlackBerry to allow them to access BBM and the like.

      Uncle Sam is causing as much disruption to US businesses abroad as anything, because people are realizing that American companies are effectively just extensions of the US spy apparatus -- because the PATRIOT act means they can demand whatever data they have, and you more or less have to assume they're doing it and being prevented from telling you.

      Which means Indians are already being spied on by (at least) their own government AND the USA.

      Do you expect there to be sympathy for an American company when a foreign government taps into them? Because I hear an awful lot of people saying they think it's perfectly OK when the US does it to foreigners.

      --
      Lost at C:>. Found at C.
    3. Re:All about trust by Himmy32 · · Score: 2

      Deliberately giving out bad certs and being hacked are a little different. But as your comment shows their reputation has suffered because of the breach even 3 years later.

    4. Re:All about trust by OhPlz · · Score: 4, Insightful

      As a US resident, I'd be perfectly content to see the heads of various rights-invading federal agencies put away in prison.

      So no, it's not ok. Not for the US, not for India.

  4. So SSL is nothing more than an honor system? by bazmail · · Score: 3, Insightful

    So SSL is nothing more than an honor system? Fuck that. Security , such as it was, is utterly fucked now that any tin-pot government quango can start intercepting.

    1. Re:So SSL is nothing more than an honor system? by bunratty · · Score: 5, Insightful

      Everything is nothing more than an honor system. You trust the operating system to accept only the password you chose when someone tries to log in to your account. You trust the compiler not to secretly install backdoors into software. You trust the hardware manufacturers not to implement secret knocks to allow backdoor access. You trust your browser to handle SSL certificates appropriately. If you don't like it, you can build your own hardware and software from scratch and feel safe in the knowledge that it's secure. That is, if you trust that you didn't make a mistake.

      --
      What a fool believes, he sees, no wise man has the power to reason away.
    2. Re:So SSL is nothing more than an honor system? by Desler · · Score: 2

      You're just figuring this out? Have you been living under a rock for the past ~20 years or are you just incredibly naive?

    3. Re:So SSL is nothing more than an honor system? by gstoddart · · Score: 2

      So SSL is nothing more than an honor system?

      This is nothing new.

      And, let's face it, I bet the NSA et al have demanded more private keys be handed over to them than you'll ever know about. Where's your outrage over that?

      The five eyes all use each other to spy on their own (and others) citizens, and share the information among themselves. Where's your outrage over that?

      I see this as a symptom of a greater problem, but no different from what a bunch of other countries are already doing.

      Until someone creates a new encryption system which isn't susceptible to MITM attacks, this will always be the case. And governments will always unashamedly insist on spying on their people, and anybody else they can find.

      --
      Lost at C:>. Found at C.
    4. Re:So SSL is nothing more than an honor system? by gweihir · · Score: 2

      Anybody that looked into the SSL certificate system has known that for a very long time. Quite a few people used to use self-signed certificates, as as least there somebody that bothered to find out could be sure it was secure.

      I think the fundamental brokeness of the SSL certificate system is because of deep naivety with regard to the trustworthiness of governments and because of active sabotage of by said governments way back. I hope at least that issue is fixed after Snowden. Governments are even more evil than any of their members and cannot be trusted for any purpose.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    5. Re:So SSL is nothing more than an honor system? by Rich0 · · Score: 2

      SSL goes beyond the naivety of government trust. It also suffers from what amounts to a global namespace/trust/etc issue.

      Any CA can issue a certificate for any domain, a domain generally can only have one certificate, and the trusted CA list is managed by the browser, not the user.

      So, if you trust your government (naievely), and distrust everybody else, it won't work. Your browser will constantly be wanting to add CAs you don't trust, and might not include ones you trust. Then, if you drop a bunch of CAs then a bunch of websites won't work. A website doesn't have the option of getting certificates from 14 different CAs so as to be trusted by everybody - they have to pick one and everybody has to trust them.

      So, users are basically forced to accept CAs they've never heard of, and the whole system is a mess as a result.

  5. Re:Typical by Himmy32 · · Score: 3, Insightful

    The whole world is filled with people with dubious ethics. Some regions just have slightly more effective means of controlling them.

  6. Not a Problem with Mozilla-Based Applications by DERoss · · Score: 4, Informative

    This is not a problem with Firefox, SeaMonkey, or other Mozilla-based applications. They use a certificate database separate from Microsoft's, a database that does not contain the certificate used in the forgery.

    The certification authority at fault (NIC) has an open request to have its root certificate added to Mozilla's database. However, NIC has failed to respond to requests for further information, requested over a year ago by the Mozilla person who is in charge of the process of approving certificates. Furthermore, Mozilla persons -- both staff and users -- are aware of NIC's problem; some have suggested that NIC's request be rejected and NIC be permanently banned from the database.

    To see the discussion, see https://bugzilla.mozilla.org/s....

    Some certification authorities and some of their subscribers complain that Mozilla takes too long to approve root certificates and then to add those certificates to Mozilla's database. At least in this case, delay served to protect users. The delays are significantly caused by Mozilla's requirement for independent audit reports and for a period of public review and comment on each request. Hooray for Mozilla!!