The Indian government stated in a release that it is looking into the unauthorized digital certificates issued by NIC. Technology giants Google and Microsoft had raised the issue of fake signatures last week on their security blog.
The Controller of Certifying Authorities monitors Certifying Authorities, who issue digital certificates for electronic authentication of users. Digital certificate is like an electronic passport that allows a person, computer or organization to securely exchange information over the Internet.
Digital certificates provides identifying information like the certificate holders name, a copy of his public keys, a serial number and is forgery resistant. The unauthorized certificate could be used for eavesdropping on Google services like Gmail or Google Docs. Currently only Windows users have been affected by this issue as the India CCA certificates are included for the Microsoft Root Store.
In a blog post last week, Google said, “On Wednesday, July 2, we became aware of unauthorized digital certificates for several Google domains. The certificates were issued by NIC of India, which holds several intermediate CA certificates trusted by the Indian Controller of Certifying Authorities (India CCA).”
Tech giant Microsoft added that it is aware of improperly issued SSL certificates that could be used for performing phishing attacks.
“SSL certificates were improperly issued by NIC, which operates subordinate CAs under root CAs operated by Government of India’s Controller of Certifying Authorities, which are CAs present in the Trusted Root Certification Authorities Store,” it added.
The Department of Electronics and Information Technology Secretary R.S Sharma stated: “We are looking into this issue. Certifying Authority (CA) is taking appropriate steps and is working under the guidance of the CCA.”
Meanwhile, CCA in a post on its website said: “Due to security reasons 3 CA Certificates issued to NICCA have been suspended and the corresponding CRLs have been updated for this purpose. Further updation will be notified.”