Earlier this month, hackers issued rogue certificates in India that could have been used to impersonate websites run by Google. This major security breach occurred at the National Informatics Centre (NIC), an Indian web services organization. These fake SSL certificates were not detected for days, causing concern for potential privacy and security threats that could allow hackers to spy on unencrypted communications.
The NIC holds intermediate certificate authority (CA) certificates trusted by the Indian government’s top CA, the Indian Controller of Certificate Authorities (CCA). How the fake certificates were issued by NIC is unclear. It was recently revealed that the hacker issuing the certificates was also able to access the core root directory of the NIC to obtain all of its data.
It was imperative to immediately block these rogue certificates, as India CCA certificates are included in the Microsoft Root Store and trusted by the vast majority of programs running on Windows, including Internet Explorer and Chrome.
How does this process work? A browser trusts a certificate authority, by default, if it is signed by one of the root CAs. The browser checks a domain’s digital certificate to verify that it belongs to the entity it says it does. In turn, any website certificate signed by the CA will be trusted as well. This means an unsuspecting user accessing a website using one of these rogue certificates is completely unaware of a breach and will be falsely assured that the connection is secure by all common security indicators.
Hackers can use these rogue certificates to spy on encrypted communications between a user’s device and an HTTPs website, which is assumed to be secure. As many banks and financial institutions use HTTPs protocol for secure communications over a wireless network, this has the potential to be very damaging.
A certificate, as it relates to WiFi network security, is used to authenticate a device or user to a network. It is the preferred method of authentication, as it is very simple for an attacker to steal username and password credentials.
Within 24 hours after Google became aware of the incident, the Indian CCA revoked all NIC intermediate certificates and enabled a utility program that would block the fraudulent certificates in Chrome.