Printed from

Fake TLS certificates doled out by India, scope of problem unknown

updated 10:37 am EDT, Thu July 10, 2014

Internet Explorer, other Windows apps affected; problem could be widespread

Microsoft Internet Explorer users are being affected by a series of fraudulent transport layer security (TLS) certificates. The fake certificates, issued by India's National Informatics Centre, are trusted by the Microsoft Root Store -- a core library that Internet Explorer and other Windows applications use for identity verification. India's Controller of Certifying Records claims that only four fake certificates were issued, but other sources, including Google, are claiming that there are many more.

Transport Layer Security is a cryptographic protocol designed to provide communication security over the Internet. It uses X.509 certificates issued by governing authorities to authenticate the counterparty with whom they are communicating, and to exchange a symmetric key. This session key is then used to encrypt data flowing between the parties. Several versions of the protocol are in widespread use in applications such as web browsing, email, instant messaging, and voice-over-IP (VoIP).

Google researchers doubt the claim of only four fake certificates, and have seen more. Google security engineer Adam Langley states in a blog post about the situation that "the four certificates provided included three for Google domains (one of which we were previously aware of) and one for Yahoo domains. However, we are also aware of misissued certificates not included in that set of four and can only conclude that the scope of the breach is unknown."

All certificates held by the National Informatics Centre were revoked on July 3, so this means that theoretically that casual misuse of the certificates is spotted, with users being warned by Windows of the problem. However, the checks are relatively easy to bypass, and a malware attack can specifically designed with the bad certificates and mechanisms to bypass certificate revocation checking.

Microsoft has issued a terse statement about the fraudulent certificates. It disagrees with Google's assessment of the situation, and says that "we are aware of the mis-issued third-party certificates, and we have not detected any of the certificates being issued against Microsoft domains. We are taking the necessary precautions to help ensure that our customers remain protected." Electronista has spoken with Microsoft security officials, who claim that an advisory will be issued about the issue "soon."

Up-to-date Chrome users, even on Windows, are unaffected by the certificate issuance, and another hardcoded ban on CCA certificates from seven India-based subdomains will be issued shortly. Firefox and Thunderbird are likely unaffected, as well as any browser on OS X.

By Electronista Staff
Post tools:




Login Here

Not a member of the MacNN forums? Register now for free.


Network Headlines


Most Popular


Recent Reviews

Apple 13-inch MacBook Pro (Early 2015)

Although the new darling of the Apple MacBook line up is the all-new MacBook, Apple has given its popular 13-inch MacBook Pro with Ret ...

Seagate Wireless

It seems like no matter how much internal storage is included today's mobile devices, we, as users, will always find a way to fill the ...

Lenovo Yoga Tablet 2 (Android, 10.1-inch)

Lenovo is building a bigger name for itself year after year, including its devices expanding beyond desktop computers. The company's l ...



Most Commented


Popular News