Slashdot Mirror
India's National Informatics Centre Forged Google SSL Certificates
NotInHere (3654617) writes As Google writes on its Online Security Blog, the National Informatics Centre of India (NIC) used its intermediate CA certificate, issued by Indian CCA, to issue several unauthorized certificates for Google domains, allowing it to do Man in the middle attacks. Possible impact however is limited, as, according to Google, the root certificates for the CA were only installed on Windows, which Firefox doesn't use — and for the Chrom{e,ium} browser, the CA for important Google domains is pinned to the Google CA. According to its website, the NIC CA has suspended certificate issuance, and according to Google, its root certificates were revoked by Indian CCA.
The NSA?
Why is Snark Required?
And, really, if the US is saying it's their right to tap into anything they want to ... how is it different when India does it?
India already forced BlackBerry to allow them to access BBM and the like.
Uncle Sam is causing as much disruption to US businesses abroad as anything, because people are realizing that American companies are effectively just extensions of the US spy apparatus -- because the PATRIOT act means they can demand whatever data they have, and you more or less have to assume they're doing it and being prevented from telling you.
Which means Indians are already being spied on by (at least) their own government AND the USA.
Do you expect there to be sympathy for an American company when a foreign government taps into them? Because I hear an awful lot of people saying they think it's perfectly OK when the US does it to foreigners.
Lost at C:>. Found at C.
Everything is nothing more than an honor system. You trust the operating system to accept only the password you chose when someone tries to log in to your account. You trust the compiler not to secretly install backdoors into software. You trust the hardware manufacturers not to implement secret knocks to allow backdoor access. You trust your browser to handle SSL certificates appropriately. If you don't like it, you can build your own hardware and software from scratch and feel safe in the knowledge that it's secure. That is, if you trust that you didn't make a mistake.
What a fool believes, he sees, no wise man has the power to reason away.
This yet again highlights that the three-party trust system is broken.
There are ways around it, but there is no great solution - only workarounds.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
As a US resident, I'd be perfectly content to see the heads of various rights-invading federal agencies put away in prison.
So no, it's not ok. Not for the US, not for India.
This is not a problem with Firefox, SeaMonkey, or other Mozilla-based applications. They use a certificate database separate from Microsoft's, a database that does not contain the certificate used in the forgery.
The certification authority at fault (NIC) has an open request to have its root certificate added to Mozilla's database. However, NIC has failed to respond to requests for further information, requested over a year ago by the Mozilla person who is in charge of the process of approving certificates. Furthermore, Mozilla persons -- both staff and users -- are aware of NIC's problem; some have suggested that NIC's request be rejected and NIC be permanently banned from the database.
To see the discussion, see https://bugzilla.mozilla.org/s....
Some certification authorities and some of their subscribers complain that Mozilla takes too long to approve root certificates and then to add those certificates to Mozilla's database. At least in this case, delay served to protect users. The delays are significantly caused by Mozilla's requirement for independent audit reports and for a period of public review and comment on each request. Hooray for Mozilla!!