India's National Informatics Centre Forged Google SSL Certificates

NotInHere (3654617) writes As Google writes on its Online Security Blog, the National Informatics Centre of India (NIC) used its intermediate CA certificate, issued by Indian CCA, to issue several unauthorized certificates for Google domains, allowing it to do Man in the middle attacks. Possible impact however is limited, as, according to Google, the root certificates for the CA were only installed on Windows, which Firefox doesn't use — and for the Chrom{e,ium} browser, the CA for important Google domains is pinned to the Google CA. According to its website, the NIC CA has suspended certificate issuance, and according to Google, its root certificates were revoked by Indian CCA.

So SSL is nothing more than an honor system?

[bazmail]

So SSL is nothing more than an honor system? Fuck that. Security , such as it was, is utterly fucked now that any tin-pot government quango can start intercepting.

Re:Anybody else think posting AC should be abolish

[Anonymous Coward]

Says the random turd hiding behind a pseudonym. Sign your post with your real name, address and SSN and then you can call for "anonymous" posting to be abolished.

Re:All about trust

[gstoddart]

So how much money or jail time for Fraud and Impersonation? Oh right, it's ok when a government does it. And you can't complain to Uncle Sam as that would disrupt your business in that country.

And, really, if the US is saying it's their right to tap into anything they want to ... how is it different when India does it?

India already forced BlackBerry to allow them to access BBM and the like.

Uncle Sam is causing as much disruption to US businesses abroad as anything, because people are realizing that American companies are effectively just extensions of the US spy apparatus -- because the PATRIOT act means they can demand whatever data they have, and you more or less have to assume they're doing it and being prevented from telling you.

Which means Indians are already being spied on by (at least) their own government AND the USA.

Do you expect there to be sympathy for an American company when a foreign government taps into them? Because I hear an awful lot of people saying they think it's perfectly OK when the US does it to foreigners.

Re:So SSL is nothing more than an honor system?

[bunratty]

Everything is nothing more than an honor system. You trust the operating system to accept only the password you chose when someone tries to log in to your account. You trust the compiler not to secretly install backdoors into software. You trust the hardware manufacturers not to implement secret knocks to allow backdoor access. You trust your browser to handle SSL certificates appropriately. If you don't like it, you can build your own hardware and software from scratch and feel safe in the knowledge that it's secure. That is, if you trust that you didn't make a mistake.

Re:Typical

[Himmy32]

The whole world is filled with people with dubious ethics. Some regions just have slightly more effective means of controlling them.

Re:Repercussions?

[Z00L00K]

This yet again highlights that the three-party trust system is broken.

There are ways around it, but there is no great solution - only workarounds.

Re:All about trust

[OhPlz]

As a US resident, I'd be perfectly content to see the heads of various rights-invading federal agencies put away in prison.

So no, it's not ok. Not for the US, not for India.