The search giant reveals several unauthorized digital certificates were issued for Google domains, potentially putting Internet users at risk.
Seth RosenblattFormer Senior Writer / News
Senior writer Seth Rosenblatt covered Google and security for CNET News, with occasional forays into tech and pop culture. Formerly a CNET Reviews senior editor for software, he has written about nearly every category of software and app available.
Certificates are digital documents used to verify that websites are who they say they are, and are part of the backbone of organizational trust that keeps the Web functioning smoothly. They are part of the trust relationship that allows you to buy things on the Web. If a site has an improper certificate, most browsers will block it by default.
Mozilla Firefox security was not compromised because it has its own root store, which didn't include these unauthorized certificates.
Google security engineer Adam Langley said in a blog post that following an update to Google Chrome that same day, users were safe from harm.
"We promptly alerted NIC, India CCA and Microsoft about the incident, and we blocked the mis-issued certificates in Chrome with a CRLSet push," he wrote, and added that Google was not aware of any other root stores that included the India CCA certificates. That meant that Chrome on Mac OS X, iOS, Android, and Chrome OS itself were not affected.
"Additionally, Chrome on Windows would not have accepted the certificates for Google sites because of public-key pinning, although mis-issued certificates for other sites may exist," hence the need to update the browser.
In the aftermath of an investigation conducted on July 8 by India CCA, Google has decided to restrict the India CCA root certificate to only seven domains and their subdomains. The investigation found that four certificates were mis-issued, the first on June 25, three of which were for Google domains and one was for a Yahoo domain.
In an update to the original blog post, Langley said that Google was aware of mis-issued certificates beyond those four, and concluded that there was the potential for damage of an "unknown scope."
Web guru and former Google employee Tim Bray said in a blog post that the problems with certificate authorities are severe enough that Google must now step in. Given the importance of commerce to the Web, he said the solution is for Google kill off the competition with a super cheap, well-regulated digital certificate store.
"Unfortunately, the CA [Certificate Authority] business is poorly regulated, there are too many of them, and some have questionable competence and/or ethics, this most recent story being an example," Bray said.
Independent security consultant Ashkan Soltani agreed, and said that certificate authorities and the certificate-issuing system have serious flaws. "You can describe the situation akin to 'allowing any lockmaker to issue keys for any other lockmaker's locks,'" he told CNET. "A single rogue actor can give access to even the most secure bank's vaults."
Update at 4:20 p.m. PT:with results of a Google investigation into the forged certificates.