NIC India issued digital certificates for Google domains

On July 2, Google discovered several fake digital certificates for its domains issued by the National Certification Authority (NIC) of India. It is likely that the NIC issued certificates to other sites, not Google.

India's NIC certificates are part of the Indian Controller of Certifying Authorities (India CCA) directory, which is part of the Microsoft Root Store root directory. Therefore, unfortunately, fake certificates were accepted in a large number of programs under Windows, including Internet Explorer and Chrome browsers. Only Firefox uses its own root directory, not the Microsoft Root Store.

Chrome on other operating systems, including Chrome OS, Android, iOS and OS X, is not affected. In addition, specifically for Google sites, he would not accept fake certificates for Windows, because several years ago after the well-known incidents with CA, Google began to compile its own directory and “binds” its certificates to Chrome ( certificate pinning function).
')
Google has notified the incident to India NIC, India CCA and Microsoft. India CCA Center revoked certificates on July 3 and began investigating the incident.

Fake certificates were issued in previous years, including intentionally for conducting MiTM-attacks on the order of the national governments of several countries. This certificate substitution is very difficult to detect on the server side. In fact, there is no completely reliable way to do such a check. In this case, a fake was noticed, one might say by chance - thanks to the aforementioned certificate pinning feature for Google sites.

Chrome users do not need to take additional steps to protect. However, this incident once again draws attention to the importance of improving the security of the CA system in the future. For example, you can use a global database with public certificates with which the browser will be checked.