AAPL Stock: 118.03 ( -0.85 )

Printed from

Fake TLS certificates doled out by India, scope of problem unknown

updated 10:37 am EDT, Thu July 10, 2014

Internet Explorer, other Windows apps affected; problem could be widespread

Microsoft Internet Explorer users are being affected by a series of fraudulent transport layer security (TLS) certificates. The fake certificates, issued by India's National Informatics Centre, are trusted by the Microsoft Root Store -- a core library that Internet Explorer and other Windows applications use for identity verification. India's Controller of Certifying Records claims that only four fake certificates were issued, but other sources, including Google, are claiming that there are many more.

Transport Layer Security is a cryptographic protocol designed to provide communication security over the Internet. It uses X.509 certificates issued by governing authorities to authenticate the counterparty with whom they are communicating, and to exchange a symmetric key. This session key is then used to encrypt data flowing between the parties. Several versions of the protocol are in widespread use in applications such as web browsing, email, instant messaging, and voice-over-IP (VoIP).

Google researchers doubt the claim of only four fake certificates, and have seen more. Google security engineer Adam Langley states in a blog post about the situation that "the four certificates provided included three for Google domains (one of which we were previously aware of) and one for Yahoo domains. However, we are also aware of misissued certificates not included in that set of four and can only conclude that the scope of the breach is unknown."

All certificates held by the National Informatics Centre were revoked on July 3, so this means that theoretically that casual misuse of the certificates is spotted, with users being warned by Windows of the problem. However, the checks are relatively easy to bypass, and a malware attack can specifically designed with the bad certificates and mechanisms to bypass certificate revocation checking.

Microsoft has issued a terse statement about the fraudulent certificates. It disagrees with Google's assessment of the situation, and says that "we are aware of the mis-issued third-party certificates, and we have not detected any of the certificates being issued against Microsoft domains. We are taking the necessary precautions to help ensure that our customers remain protected." Electronista has spoken with Microsoft security officials, who claim that an advisory will be issued about the issue "soon."

Up-to-date Chrome users, even on Windows, are unaffected by the certificate issuance, and another hardcoded ban on CCA certificates from seven India-based subdomains will be issued shortly. Firefox and Thunderbird are likely unaffected, as well as any browser on OS X.

by MacNN Staff



Login Here

Not a member of the MacNN forums? Register now for free.


Network Headlines

Follow us on Facebook


Most Popular


Recent Reviews

Ultimate Ears Megaboom Bluetooth Speaker

Ultimate Ears (now owned by Logitech) has found great success in the marketplace with its "Boom" series of Bluetooth speakers, a mod ...

Kinivo URBN Premium Bluetooth Headphones

We love music, and we're willing to bet that you do, too. If you're like us, you probably spend a good portion of your time wearing ...

Jamstik+ MIDI Controller

For a long time the MIDI world has been dominated by keyboard-inspired controllers. Times are changing however, and we are slowly star ...


Most Commented