updated 10:37 am EDT, Thu July 10, 2014
Internet Explorer, other Windows apps affected; problem could be widespread
Microsoft Internet Explorer users are being affected by a series of fraudulent transport layer security (TLS) certificates. The fake certificates, issued by India's National Informatics Centre, are trusted by the Microsoft Root Store -- a core library that Internet Explorer and other Windows applications use for identity verification. India's Controller of Certifying Records claims that only four fake certificates were issued, but other sources, including Google, are claiming that there are many more.
Transport Layer Security is a cryptographic protocol designed to provide communication security over the Internet. It uses X.509 certificates issued by governing authorities to authenticate the counterparty with whom they are communicating, and to exchange a symmetric key. This session key is then used to encrypt data flowing between the parties. Several versions of the protocol are in widespread use in applications such as web browsing, email, instant messaging, and voice-over-IP (VoIP).
Google researchers doubt the claim of only four fake certificates, and have seen more. Google security engineer Adam Langley states in a blog post about the situation that "the four certificates provided included three for Google domains (one of which we were previously aware of) and one for Yahoo domains. However, we are also aware of misissued certificates not included in that set of four and can only conclude that the scope of the breach is unknown."
All certificates held by the National Informatics Centre were revoked on July 3, so this means that theoretically that casual misuse of the certificates is spotted, with users being warned by Windows of the problem. However, the checks are relatively easy to bypass, and a malware attack can specifically designed with the bad certificates and mechanisms to bypass certificate revocation checking.
Microsoft has issued a terse statement about the fraudulent certificates. It disagrees with Google's assessment of the situation, and says that "we are aware of the mis-issued third-party certificates, and we have not detected any of the certificates being issued against Microsoft domains. We are taking the necessary precautions to help ensure that our customers remain protected." Electronista has spoken with Microsoft security officials, who claim that an advisory will be issued about the issue "soon."
Up-to-date Chrome users, even on Windows, are unaffected by the certificate issuance, and another hardcoded ban on CCA certificates from seven India-based subdomains will be issued shortly. Firefox and Thunderbird are likely unaffected, as well as any browser on OS X.