Printed from http://www.electronista.com

Fake TLS certificates doled out by India, scope of problem unknown

updated 10:37 am EDT, Thu July 10, 2014

Internet Explorer, other Windows apps affected; problem could be widespread

Microsoft Internet Explorer users are being affected by a series of fraudulent transport layer security (TLS) certificates. The fake certificates, issued by India's National Informatics Centre, are trusted by the Microsoft Root Store -- a core library that Internet Explorer and other Windows applications use for identity verification. India's Controller of Certifying Records claims that only four fake certificates were issued, but other sources, including Google, are claiming that there are many more.

Transport Layer Security is a cryptographic protocol designed to provide communication security over the Internet. It uses X.509 certificates issued by governing authorities to authenticate the counterparty with whom they are communicating, and to exchange a symmetric key. This session key is then used to encrypt data flowing between the parties. Several versions of the protocol are in widespread use in applications such as web browsing, email, instant messaging, and voice-over-IP (VoIP).

Google researchers doubt the claim of only four fake certificates, and have seen more. Google security engineer Adam Langley states in a blog post about the situation that "the four certificates provided included three for Google domains (one of which we were previously aware of) and one for Yahoo domains. However, we are also aware of misissued certificates not included in that set of four and can only conclude that the scope of the breach is unknown."

All certificates held by the National Informatics Centre were revoked on July 3, so this means that theoretically that casual misuse of the certificates is spotted, with users being warned by Windows of the problem. However, the checks are relatively easy to bypass, and a malware attack can specifically designed with the bad certificates and mechanisms to bypass certificate revocation checking.

Microsoft has issued a terse statement about the fraudulent certificates. It disagrees with Google's assessment of the situation, and says that "we are aware of the mis-issued third-party certificates, and we have not detected any of the certificates being issued against Microsoft domains. We are taking the necessary precautions to help ensure that our customers remain protected." Electronista has spoken with Microsoft security officials, who claim that an advisory will be issued about the issue "soon."

Up-to-date Chrome users, even on Windows, are unaffected by the certificate issuance, and another hardcoded ban on CCA certificates from seven India-based subdomains will be issued shortly. Firefox and Thunderbird are likely unaffected, as well as any browser on OS X.



By Electronista Staff
Post tools:

TAGS :

toggle

Comments

Login Here

Not a member of the MacNN forums? Register now for free.

toggle

Network Headlines

toggle

Most Popular

Sponsor

Recent Reviews

Plantronics Rig Surround 7.1 headset

Trying to capture the true soundscape of video games can be a daunting task. Looking to surround-sound home theater options, users hav ...

Kenu Airframe +

Simple, stylish and effective, the Kenu Aiframe + portable car mount is the latest addition to Kenu's lineup. Released earlier this ye ...

Adesso Compagno X Bluetooth keyboard

The shift from typing on physical keyboards to digital versions on smartphones and tablets hasn't been an easy for many consumers. Fro ...

Sponsor

toggle

Most Commented

 
toggle

Popular News