The Indian Controller of Certifying Authorities (Indian CCA) has launched an investigation into the issue of unauthorized certificates to Google domains by the National Informatics Centre Certifying Authority (NICCA) of India, Google has informed on its online security blog.

Such a certificate could have been used for unauthorized eavesdropping on Google services such Gmail or Google Docs. The company has clarified that only Windows users were affected by this issue as the India CCA certificates are included in the Microsoft Root Store. It does not know of any other root store that has these certificates. This root store is trusted by several Windows programs including Internet Explorer and Chrome. Google notes that Firefox users were not affected because it uses a different root store that doesn’t include these certificates.

Google mentions that it became aware of these certificates on July 2 and contacted India CCA and Microsoft about the issue. NICCA is the official body responsible for the issuance and maintenance of digital certificates for usage within the Government of India domain. It fulfills requirements of trustworthiness of a Certifying Authority as laid down by the IT Act 2000.’

Google also blocked these certificates in Chrome with a CRLSet push. For example, if you visit the NICCA website from any browser, you get a message stating that it may not be safe to open the website as there is a problem with the website’s certificate.

The Indian CCA launched the investigation the next day itself, while NICCA stopped issuing digital certificates. The agency has put up the following message on its website. “Due to technical reasons, NICCA is not issuing certificates as of now. All operations have been stopped for some time and are not expected to resume soon. DSC application forms will not be accepted till operations are resumed and further instructions will be issued thereafter. Inconvenience caused is regretted.”

According to its website, NICCA offers four distinct classes of digital certification services, Classes 0-3, for NICNET users within the government. Each level or class of certificate provides specific functionality and security features, and corresponds to a specific level of trust . At present, it will be issuing only class 0 certificates. You can refer to the CPS policy in the Repository section of the site for more details on this.

Who was spying?

It is not clear how such a certificate was issued by NICCA or for whom they were issued. There is also no information on how long these certificates have been around.

It’s worth noting that the stealing of website certificates has been on the rise, but we’re not quite if that’s what happened here. It’s quite possible that this was a case of hacking or this was done to eavesdrop on Google users in India by the government. We hope that the CCA posts the investigation report publicly when the investigation is done, instead of burying it under layers of red tape and bureaucracy.