Google confronts more site certificate problems

The search giant reveals several unauthorized digital certificates were issued for Google domains, potentially putting Internet users at risk.

Seth Rosenblatt Former Senior Writer / News
Senior writer Seth Rosenblatt covered Google and security for CNET News, with occasional forays into tech and pop culture. Formerly a CNET Reviews senior editor for software, he has written about nearly every category of software and app available.
Seth Rosenblatt
3 min read

Microsoft diagram showing how certificates are related in a single organization. Microsoft

Google blocked fake digital certificates for several Google domains on July 2, in a move to stymie a surprising breach of fundamental Web security that nevertheless appears to not have had any dire consequences -- this time.

Certificates are digital documents used to verify that websites are who they say they are, and are part of the backbone of organizational trust that keeps the Web functioning smoothly. They are part of the trust relationship that allows you to buy things on the Web. If a site has an improper certificate, most browsers will block it by default.

The forged Google site certificates in this case had been issued by India's National Informatics Center, which holds several intermediate Certificate Authority certificates trusted by the Indian Controller of Certifying Authorities. Certificates from the India CCA are included in the Microsoft Root Store, which means that most Windows software will trust them -- including Internet Explorer and Google Chrome.

Mozilla Firefox security was not compromised because it has its own root store, which didn't include these unauthorized certificates.

Google security engineer Adam Langley said in a blog post that following an update to Google Chrome that same day, users were safe from harm.

Microsoft diagram showing how certificates are related across organizations. Microsoft

"We promptly alerted NIC, India CCA and Microsoft about the incident, and we blocked the mis-issued certificates in Chrome with a CRLSet push," he wrote, and added that Google was not aware of any other root stores that included the India CCA certificates. That meant that Chrome on Mac OS X, iOS, Android, and Chrome OS itself were not affected.

"Additionally, Chrome on Windows would not have accepted the certificates for Google sites because of public-key pinning, although mis-issued certificates for other sites may exist," hence the need to update the browser.

In the aftermath of an investigation conducted on July 8 by India CCA, Google has decided to restrict the India CCA root certificate to only seven domains and their subdomains. The investigation found that four certificates were mis-issued, the first on June 25, three of which were for Google domains and one was for a Yahoo domain.

In an update to the original blog post, Langley said that Google was aware of mis-issued certificates beyond those four, and concluded that there was the potential for damage of an "unknown scope."

Web guru and former Google employee Tim Bray said in a blog post that the problems with certificate authorities are severe enough that Google must now step in. Given the importance of commerce to the Web, he said the solution is for Google kill off the competition with a super cheap, well-regulated digital certificate store.

"Un­for­tu­nate­ly, the CA [Certificate Authority] busi­ness is poor­ly reg­u­lat­ed, there are too many of them, and some have ques­tion­able com­pe­tence and/or ethic­s, this most re­cent sto­ry be­ing an ex­ample," Bray said.

Independent security consultant Ashkan Soltani agreed, and said that certificate authorities and the certificate-issuing system have serious flaws. "You can describe the situation akin to 'allowing any lockmaker to issue keys for any other lockmaker's locks,'" he told CNET. "A single rogue actor can give access to even the most secure bank's vaults."

Update at 4:20 p.m. PT: with results of a Google investigation into the forged certificates.