wordpress blog stats
Connect with us

Hi, what are you looking for?

Investigation launched after NIC issues unauthorized certificates to Google sites

The Indian Controller of Certifying Authorities (Indian CCA) has launched an investigation into the issue of unauthorized certificates to Google domains by the National Informatics Centre Certifying Authority (NICCA) of India, Google has informed on its online security blog.

Such a certificate could have been used for unauthorized eavesdropping on Google services such Gmail or Google Docs. The company has clarified that only Windows users were affected by this issue as the India CCA certificates are included in the Microsoft Root Store. It does not know of any other root store that has these certificates. This root store is trusted by several Windows programs including Internet Explorer and Chrome. Google notes that Firefox users were not affected because it uses a different root store that doesn’t include these certificates.

Google mentions that it became aware of these certificates on July 2 and contacted India CCA and Microsoft about the issue. NICCA is the official body responsible for the issuance and maintenance of digital certificates for usage within the Government of India domain. It fulfills requirements of trustworthiness of a Certifying Authority as laid down by the IT Act 2000.’

Google also blocked these certificates in Chrome with a CRLSet push. For example, if you visit the NICCA website from any browser, you get a message stating that it may not be safe to open the website as there is a problem with the website’s certificate.

The Indian CCA launched the investigation the next day itself, while NICCA stopped issuing digital certificates. The agency has put up the following message on its website. “Due to technical reasons, NICCA is not issuing certificates as of now. All operations have been stopped for some time and are not expected to resume soon. DSC application forms will not be accepted till operations are resumed and further instructions will be issued thereafter. Inconvenience caused is regretted.”

According to its website, NICCA offers four distinct classes of digital certification services, Classes 0-3, for NICNET users within the government. Each level or class of certificate provides specific functionality and security features, and corresponds to a specific level of trust . At present, it will be issuing only class 0 certificates. You can refer to the CPS policy in the Repository section of the site for more details on this.

Who was spying?

It is not clear how such a certificate was issued by NICCA or for whom they were issued. There is also no information on how long these certificates have been around.

It’s worth noting that the stealing of website certificates has been on the rise, but we’re not quite if that’s what happened here. It’s quite possible that this was a case of hacking or this was done to eavesdrop on Google users in India by the government. We hope that the CCA posts the investigation report publicly when the investigation is done, instead of burying it under layers of red tape and bureaucracy.

You May Also Like


Google has signed a deal with news publishers in France to pay them for content appearing as preview snippets in search results, the company...


Hyperlocal e-commerce company Dunzo has raised $40 million from new and existing investors including Google, Lightbox, Evolvence, Hana Financial Investment, LGT Lightstone Aspada, and...


Google has closed its deal to acquire fitness wearables company Fitbit, even as probes by competition regulators in the United States and Australia are...


Google has sent emails to several digital lending mobile applications on its Play Store, requiring their operators to submit details of their regulatory and...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2018 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to Daily Newsletter

    © 2008-2018 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ