Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security Google Government The Internet

India's National Informatics Centre Forged Google SSL Certificates 107

NotInHere (3654617) writes As Google writes on its Online Security Blog, the National Informatics Centre of India (NIC) used its intermediate CA certificate, issued by Indian CCA, to issue several unauthorized certificates for Google domains, allowing it to do Man in the middle attacks. Possible impact however is limited, as, according to Google, the root certificates for the CA were only installed on Windows, which Firefox doesn't use — and for the Chrom{e,ium} browser, the CA for important Google domains is pinned to the Google CA. According to its website, the NIC CA has suspended certificate issuance, and according to Google, its root certificates were revoked by Indian CCA.
This discussion has been archived. No new comments can be posted.

India's National Informatics Centre Forged Google SSL Certificates

Comments Filter:
  • Repercussions? (Score:3, Interesting)

    by Anonymous Coward on Thursday July 10, 2014 @07:50AM (#47423445)

    Will there be any repercussions for this?

    The National Informatics Centre of India did abuse something.
    Will the National Informatics Centre of India be able to continue with such abuses and do this again in the future?
    Or will they lose this ability?

    What will happen now?

    They have shown that they can not be trusted. They must lose the power to do this.

    Pull someones certificates or kill some CA. Someone needs to suffer because of this.

    • by Anonymous Coward

      They must lose the power to do this.

      No one can be trusted. The system/infrastructure must be designed to take into account untrustworthiness of all parties involved. WoT [wikipedia.org].

      • Re:Repercussions? (Score:5, Insightful)

        by Z00L00K ( 682162 ) on Thursday July 10, 2014 @08:33AM (#47423669) Homepage Journal

        This yet again highlights that the three-party trust system is broken.

        There are ways around it, but there is no great solution - only workarounds.

      • Re:Repercussions? (Score:4, Interesting)

        by INT_QRK ( 1043164 ) on Thursday July 10, 2014 @10:00AM (#47424271)
        “Power attracts the corruptible. Suspect any who seek it.” Frank Herbert, Chapterhouse: Dune
    • They have shown that they can not be trusted. They must lose the power to do this.

      Pull someones certificates or kill some CA. Someone needs to suffer because of this.

      What happens now is that there's an investigation. Depending on the outcome the CA may be revoked for good, or merely forced to reissue lots of certificates. The deciding factor is the reason for the screwup - for instance they may have got hacked, rather than been actively corrupt. In that case Microsoft will have to decide if they have patche

      • Expecting CA's to be able to reliably fight off professional hackers from dozens of governments and never ever fail is likely an impossible standard to ever meet.

        Yet that is exactly what they are supposed to do. Its not even really that hard.

        Every CA hack to date has been preventable as was the fault of the CA simply not putting the required effort into doing their job or being flat out malicious. Stop trying to make it out like its an uber hard job, its not.

      • Seriously? How hard is it to put the actual root certificate on an offline internal network? You have to actually have a human being move a thumb drive between two machines to generate a cert. OMG, the horror! It's india for god sake, don't tell me they can't afford all that manual labor.
  • by Required Snark ( 1702878 ) on Thursday July 10, 2014 @07:59AM (#47423479)
    The NSA?
    • Who in the world do you think gathers intelligence?
      Only the NSA?
      Need a bridge? I have one for sale.

      • Nice strawman. So does the NIC have a legal mission to gather intelligence? Does forging certificates constitute legitimate intelligence collection?
        • Strawman? Not so much.

          So does the NIC have a legal mission to gather intelligence? Does forging certificates constitute legitimate intelligence collection?

          Who can say? Do you have any thoughts on the matter?

        • Name one intelligence agency that doesn't use other government agencies to assist its endeavours.

      • All countries conduct espionage to the extent that they prioritize their capabilities, and against targets where they perceive threats and/or opportunities.
        • All countries conduct espionage to the extent that they prioritize their capabilities, and against targets where they perceive threats and/or opportunities.

          All countries keep an eye on their neighbours, just like all people keep a general awareness of their surroundings. All countries don't tap the phones of their neighbours's leaders, or install malware on equipment sold to them, or even spies over. Morals aside, taking hostile action tends to backfire, as the US is learning. Reputation is a resource, and

          • I was making an observation, not an apology. Notice that I never added, "...and this is always good thing." That said, neither is it always a bad thing.
  • by Anonymous Coward

    Good old Indian "ethics".

  • The whole point of issuing certs is to be a trusted third party. No one is going accept a cert from them again. They should know better.
    • So how much money or jail time for Fraud and Impersonation? Oh right, it's ok when a government does it. And you can't complain to Uncle Sam as that would disrupt your business in that country.
      • Re:All about trust (Score:5, Insightful)

        by gstoddart ( 321705 ) on Thursday July 10, 2014 @08:18AM (#47423573) Homepage

        So how much money or jail time for Fraud and Impersonation? Oh right, it's ok when a government does it. And you can't complain to Uncle Sam as that would disrupt your business in that country.

        And, really, if the US is saying it's their right to tap into anything they want to ... how is it different when India does it?

        India already forced BlackBerry to allow them to access BBM and the like.

        Uncle Sam is causing as much disruption to US businesses abroad as anything, because people are realizing that American companies are effectively just extensions of the US spy apparatus -- because the PATRIOT act means they can demand whatever data they have, and you more or less have to assume they're doing it and being prevented from telling you.

        Which means Indians are already being spied on by (at least) their own government AND the USA.

        Do you expect there to be sympathy for an American company when a foreign government taps into them? Because I hear an awful lot of people saying they think it's perfectly OK when the US does it to foreigners.

        • Yes actually, I do expect there to be some sympathy. Because everyone bitches when the NSA does it. Every other country does it's sharing of spying too, let's not be naive. Wrong is wrong, no matter who does it. This was clearly wrong, they targeted another country's corporation, and one that has a huge impact on the Internet, worldwide.
          It's only fair that you either get to protest when every and any country pulls something like this, or not at all.
          • Yes actually, I do expect there to be some sympathy. Because everyone bitches when the NSA does it.

            I don't disagree with you, but the hypocrisy of "but that's the job of the NSA" that I hear when someone points this out is maddening.

            This was clearly wrong, they targeted another country's corporation, and one that has a huge impact on the Internet, worldwide.

            And one which was doing business in their country. Like it or not, Google in India is subject to India's laws.

            How many corporations and people in fore

            • Honestly, I don't think I've heard but a handful of americans saying that it's fine when we do it.. Pretty much everyone is up in arms over the NSA. What I hear people say - if unapologetically- is that the NSA isn't the only one doing it. And you'll probably never hear much about what the KGB does (I know that's more an equivalent to the CIA than the NSA but I'm not sure if Russia sets up their organizations like the US does).

              Still, Google may have a presence in India but it's not an Indian company,
      • by Himmy32 ( 650060 )
        Let's be honest the outrage in India over this is going to be small. The current furor is over people getting raped and hanged while defecating in the open. The US doesn't really have a leg to stand on with the Snowden revelations and espionage in Germany. Nor do too many people want them to be the Internet World Police. It's a complex world with every country playing the spying game. No one is really shocked when someone else gets caught.

        The only thing that will come out of this is lack of trust for som
      • Re:All about trust (Score:5, Insightful)

        by OhPlz ( 168413 ) on Thursday July 10, 2014 @09:15AM (#47423949)

        As a US resident, I'd be perfectly content to see the heads of various rights-invading federal agencies put away in prison.

        So no, it's not ok. Not for the US, not for India.

        • by sjames ( 1099 )

          Agreed. They might or might not put the bodies in prison with the heads, I'm good with it either way. :-)

    • by Anonymous Coward

      No one is going accept a cert from them again.

      Yeah. Just like no one trusts Comodo CA. Oh wait.

      • by Himmy32 ( 650060 )
        Deliberately giving out bad certs and being hacked are a little different. But as your comment shows their reputation has suffered because of the breach even 3 years later.
    • by Anonymous Coward

      Remember DigiNotar ?
      They went bankrupt because nobody trusted them anymore.

      • ...and that's good. Loss of trust and confidence is the price one pays for getting caught breaching same.
    • The whole point of issuing certs is to be a trusted third party. No one is going accept a cert from them again.

      Sounds like what we need is a cert-issuing protocol based on Bitcoin security. Everyone (plus or minus epsilon) trusts that Bitcoins can't be forged.

  • by bazmail ( 764941 ) on Thursday July 10, 2014 @08:13AM (#47423551)
    So SSL is nothing more than an honor system? Fuck that. Security , such as it was, is utterly fucked now that any tin-pot government quango can start intercepting.
    • by bunratty ( 545641 ) on Thursday July 10, 2014 @08:19AM (#47423581)
      Everything is nothing more than an honor system. You trust the operating system to accept only the password you chose when someone tries to log in to your account. You trust the compiler not to secretly install backdoors into software. You trust the hardware manufacturers not to implement secret knocks to allow backdoor access. You trust your browser to handle SSL certificates appropriately. If you don't like it, you can build your own hardware and software from scratch and feel safe in the knowledge that it's secure. That is, if you trust that you didn't make a mistake.
      • by chihowa ( 366380 ) *

        That's a cop-out, though. Yes, there is always an element of trust in whatever you do. That's unavoidable, though it's smart to minimize the amount of trust you must put in others. Taken to the extreme it's ludicrous, as you've pointed out. But, that doesn't mean that there's no merit in limiting the amount of trust you put in third parties. Just because you can't completely trust your OS or compiler, doesn't mean that you should throw the entire concept of limiting trust out the window. It's dishonest to s

    • by Desler ( 1608317 )

      You're just figuring this out? Have you been living under a rock for the past ~20 years or are you just incredibly naive?

    • So SSL is nothing more than an honor system?

      This is nothing new.

      And, let's face it, I bet the NSA et al have demanded more private keys be handed over to them than you'll ever know about. Where's your outrage over that?

      The five eyes all use each other to spy on their own (and others) citizens, and share the information among themselves. Where's your outrage over that?

      I see this as a symptom of a greater problem, but no different from what a bunch of other countries are already doing.

      Until someone creates

      • Until someone creates a new encryption system which isn't susceptible to MITM attacks

        Uh, some of the earliest encryption algorithms ever created are immune to MITM.
        The core of the MITM issue is that anything sent over it could be intercepted or spoofed.
        So ALL your communication must be encrypted.

        All you need a pre-shared key to initiate the connection. Whether that's a password or a certificate or something else makes no difference. What matters is the pre-sharing. You have to fucking know and trust the source of that key. If you're just using a list of certs issued by people you don't

        • Uh, some of the earliest encryption algorithms ever created are immune to MITM.

          Yes, and they were built for communications between two parties, who knew they'd be communicating, and could exchange keys in advance.

          Now, tell me one which is applicable to the problem of a large number of potential users, all unknown up front, and coming from random devices.

          The problem with modern public key encryption (and its strength as well) is that you don't need to pre-exchange keys. But this opens you up to MITM attacks

    • by gweihir ( 88907 )

      Anybody that looked into the SSL certificate system has known that for a very long time. Quite a few people used to use self-signed certificates, as as least there somebody that bothered to find out could be sure it was secure.

      I think the fundamental brokeness of the SSL certificate system is because of deep naivety with regard to the trustworthiness of governments and because of active sabotage of by said governments way back. I hope at least that issue is fixed after Snowden. Governments are even more evi

      • by Rich0 ( 548339 )

        SSL goes beyond the naivety of government trust. It also suffers from what amounts to a global namespace/trust/etc issue.

        Any CA can issue a certificate for any domain, a domain generally can only have one certificate, and the trusted CA list is managed by the browser, not the user.

        So, if you trust your government (naievely), and distrust everybody else, it won't work. Your browser will constantly be wanting to add CAs you don't trust, and might not include ones you trust. Then, if you drop a bunch of CAs

        • by gweihir ( 88907 )

          Indeed. That is why I wrote "governments" as in the sum of all of them. One corrupt one is enough to break things.

    • There are two TLS extensions that fix these problems - one is including your certificate fingerprint in DNS and the other is multiple signatures. Both have good standards and the industry is painfully slow to adopt them.

    • by jandrese ( 485 )
      x509 is as strong as the weakest signing authority, and there are many many signing authorities now.

      It's a shame that browsers have such freakouts over self signed certs, because there is really little difference between them and officially signed certs. IMHO SSH did a better job of this by simply having you inspect the certs the first time you log on to a site and storing the result, only freaking out if the cert changes. It eliminates the complex chain of trust that in the end comes down to just trust
      • by nyet ( 19118 )

        It's a shame that browsers have such freakouts over self signed certs, because there is really little difference between them and officially signed certs

        Exactly. Especially since you can get a "real" cert from one of many, many, free cert signing services. What is the point?

        • by jandrese ( 485 )
          Originally it was supposed to be a cash cow for Verisign, but they screwed up and didn't assign a "trustworthiness level" to each CA so there's no reason to spend the big bucks on a Verisign cert over Joe Blow's Free Cert Shop now. Browsers treat both the same.
  • This is a big deal. If you use a browser on Windows that does NOT counter this, such as Internet Explorer, then you ARE vulnerable. I imagine Microsoft will come out with a special-purpose patch, but still, this is a pretty nasty issue.

    Untrustworthy CAs have been a problem for a long time; we need mechanisms to address them. The terrible cert revocation system makes it even worse; you can't be sure that the certs are checked in many cases. Chrome's CRLSets are not the answer; they are not even the be

  • I think intermediate CA certificates issued to certificate vendors, ISPs, governments, should all have name constraints so that they can be used to sign only certificates for an appropriate part of the namespace.

    http://tools.ietf.org/html/rfc... [ietf.org]

  • by DERoss ( 1919496 ) on Thursday July 10, 2014 @05:25PM (#47427739)

    This is not a problem with Firefox, SeaMonkey, or other Mozilla-based applications. They use a certificate database separate from Microsoft's, a database that does not contain the certificate used in the forgery.

    The certification authority at fault (NIC) has an open request to have its root certificate added to Mozilla's database. However, NIC has failed to respond to requests for further information, requested over a year ago by the Mozilla person who is in charge of the process of approving certificates. Furthermore, Mozilla persons -- both staff and users -- are aware of NIC's problem; some have suggested that NIC's request be rejected and NIC be permanently banned from the database.

    To see the discussion, see https://bugzilla.mozilla.org/s... [mozilla.org].

    Some certification authorities and some of their subscribers complain that Mozilla takes too long to approve root certificates and then to add those certificates to Mozilla's database. At least in this case, delay served to protect users. The delays are significantly caused by Mozilla's requirement for independent audit reports and for a period of public review and comment on each request. Hooray for Mozilla!!

The truth of a proposition has nothing to do with its credibility. And vice versa.

Working...