India's National Informatics Centre Forged Google SSL Certificates 107
NotInHere (3654617) writes As Google writes on its Online Security Blog, the National Informatics Centre of India (NIC) used its intermediate CA certificate, issued by Indian CCA, to issue several unauthorized certificates for Google domains, allowing it to do Man in the middle attacks. Possible impact however is limited, as, according to Google, the root certificates for the CA were only installed on Windows, which Firefox doesn't use — and for the Chrom{e,ium} browser, the CA for important Google domains is pinned to the Google CA. According to its website, the NIC CA has suspended certificate issuance, and according to Google, its root certificates were revoked by Indian CCA.
Not a Problem with Mozilla-Based Applications (Score:5, Informative)
This is not a problem with Firefox, SeaMonkey, or other Mozilla-based applications. They use a certificate database separate from Microsoft's, a database that does not contain the certificate used in the forgery.
The certification authority at fault (NIC) has an open request to have its root certificate added to Mozilla's database. However, NIC has failed to respond to requests for further information, requested over a year ago by the Mozilla person who is in charge of the process of approving certificates. Furthermore, Mozilla persons -- both staff and users -- are aware of NIC's problem; some have suggested that NIC's request be rejected and NIC be permanently banned from the database.
To see the discussion, see https://bugzilla.mozilla.org/s... [mozilla.org].
Some certification authorities and some of their subscribers complain that Mozilla takes too long to approve root certificates and then to add those certificates to Mozilla's database. At least in this case, delay served to protect users. The delays are significantly caused by Mozilla's requirement for independent audit reports and for a period of public review and comment on each request. Hooray for Mozilla!!