Printed from

Fake TLS certificates doled out by India, scope of problem unknown

updated 10:37 am EDT, Thu July 10, 2014

Internet Explorer, other Windows apps affected; problem could be widespread

Microsoft Internet Explorer users are being affected by a series of fraudulent transport layer security (TLS) certificates. The fake certificates, issued by India's National Informatics Centre, are trusted by the Microsoft Root Store -- a core library that Internet Explorer and other Windows applications use for identity verification. India's Controller of Certifying Records claims that only four fake certificates were issued, but other sources, including Google, are claiming that there are many more.

Transport Layer Security is a cryptographic protocol designed to provide communication security over the Internet. It uses X.509 certificates issued by governing authorities to authenticate the counterparty with whom they are communicating, and to exchange a symmetric key. This session key is then used to encrypt data flowing between the parties. Several versions of the protocol are in widespread use in applications such as web browsing, email, instant messaging, and voice-over-IP (VoIP).

Google researchers doubt the claim of only four fake certificates, and have seen more. Google security engineer Adam Langley states in a blog post about the situation that "the four certificates provided included three for Google domains (one of which we were previously aware of) and one for Yahoo domains. However, we are also aware of misissued certificates not included in that set of four and can only conclude that the scope of the breach is unknown."

All certificates held by the National Informatics Centre were revoked on July 3, so this means that theoretically that casual misuse of the certificates is spotted, with users being warned by Windows of the problem. However, the checks are relatively easy to bypass, and a malware attack can specifically designed with the bad certificates and mechanisms to bypass certificate revocation checking.

Microsoft has issued a terse statement about the fraudulent certificates. It disagrees with Google's assessment of the situation, and says that "we are aware of the mis-issued third-party certificates, and we have not detected any of the certificates being issued against Microsoft domains. We are taking the necessary precautions to help ensure that our customers remain protected." Electronista has spoken with Microsoft security officials, who claim that an advisory will be issued about the issue "soon."

Up-to-date Chrome users, even on Windows, are unaffected by the certificate issuance, and another hardcoded ban on CCA certificates from seven India-based subdomains will be issued shortly. Firefox and Thunderbird are likely unaffected, as well as any browser on OS X.

By Electronista Staff
Post tools:




Login Here

Not a member of the MacNN forums? Register now for free.


Network Headlines


Most Popular


Recent Reviews

Dell AD211 Bluetooth speaker

For all of the high-priced, over-engineered Bluetooth speakers in the electronics market, there is still room for mass-market solution ...

VisionTek 128GB USB Pocket SSD

USB flash drives dealt the death blow to both the floppy and Zip drives. While still faster than either of the old removable media, sp ...

Kodak PixPro SL10 Smart Lens Camera

Smartphone imagery still widely varies. Large Megapixel counts don't make for a good image, and the optics in some devices are lacking ...



Most Commented


Popular News