back to article FAKE Google web SSL certificates tip-toe out from Indian authorities

Google is warning that dodgy SSL certificates have been issued by India's National Informatics Centre (NIC): these certs can be used by servers to masquerade as legit Google websites and eavesdrop on or tamper with users' encrypted communications. According to this blog post by Google's security team, the Googlers noticed …

  1. brooxta

    Longitude prize

    This is why we need an alternative to the certificate authority model. Currently we have something that has some of the mechanisms and appearance of security but with too many caveats. There is far too much trust placed in the hands of too many organisations, many of whom are not obviously and transparently known to be trustworthy and some of whom are known to be systematically or ideologically compromised.

    Consider including this problem on the longitude prize list?

    1. Anonymous Coward
      Anonymous Coward

      Re: Longitude prize

      You're facing the intractable First Contact problem, where Alice and Bob need to prove themselves to each other when they've never met before. The only way to do that is with a third party, Trent. Problem is, any Gene or Mallory can just impersonate or fool Trent.

      IOW, ANY kind of authority model can be subverted. Certificates can be subverted by the governments or malcontents taking over or subverting the certificate authorities. Even the Web of Trust is not foolproof against a sufficiently-funded adversary who can fill the Web with shills.

      1. Vic

        Re: Longitude prize

        You're facing the intractable First Contact problem, where Alice and Bob need to prove themselves to each other when they've never met before. The only way to do that is with a third party, Trent. Problem is, any Gene or Mallory can just impersonate or fool Trent.

        Your point notwithstanding, the bigger problem IMO is that Alice has already decided to trust Gordon[1] and Mallory to boot. So the root of the web of trust is already compromised before we start.

        The solution - as always - is education. But I've no idea how to get end-users to care about this[2], let alone get them to take action in terms of curating their root cert lists...

        Vic.

        [1] Who, as we all know, is a moron...

        [2] Even after they've suffered personal losses, most users just think tha's how life works.

      2. brooxta

        Re: Longitude prize

        Yes it appears intractable. But it's also very important. Hence the longitude prize suggestion, slightly tongue in cheek.

        1. WatAWorld

          Difficult to solve does not equal impossible to solve

          Difficult to solve does not equal impossible to solve.

          Merkel was on to something with her idea to keep EU internet traffic within the non-Five-Eyes part of the EU -- just like most companies do already. Keep the traffic internal when you can.

          Why trust so many? Why not have the option to only trust the part of the web located in countries where you have human rights and the protection of the law?

          Sure it isn't fool proof, but nothing is. You own a car. It can be hacked. You still choose to own it, you're just careful where you park it.

  2. joed

    where's the root?

    I could not find this CA on w8.1 system (actually really sparse compared to what I heard about older windows). It's not in the list of CAs installed by Mozilla.

  3. P. Lee

    Mis-issued?

    Is it just me that thinks that the likelihood of Google going to an Indian CA for a cert is so remote that it should set of large enormous alarm bells to the CA issuing it. Given that the CA's only real work is to check identities, surely this has to be abuse. If it is incompetence, it is on a gross scale and the CA needs to be punished for that too. Given that they receive a lot of cash for very little, they need to stop hiring numpties.

    It is like SEC regulations, they are expensive to comply with, nobody likes doing it, but if you get caught in breach, the consequences should be severe. Actually its worse than that, given that the only job is to follow the regulations.

  4. Roger Stenning
    Thumb Up

    There's another reason...

    ...that I use Firefox.

  5. Anonymous Coward
    FAIL

    Hacked??

    More likely a bung offered and accepted.

    1. Down not across

      Re: Hacked??

      That does indeed sound most likely. Unless of course they just got caught.

  6. RyokuMas

    "these certs can be used by servers to masquerade as legit Google websites and eavesdrop on or tamper with users' encrypted communications."

    No real difference to legit Google websites, then...

  7. WatAWorld

    must be something they learned form us during the British raj.

    India acting like the USA, UK, Canada, Australia and NZ?

    Oh yeah, must be something they learned form us during the British raj.

    I mean really, its out in the open, probably most countries are doing this sort of thing.

    And if criminals are doing it, well, how many criminals kill people using signature based drone attacks?

    Let's face it: Our internet is full of security holes because those who run our countries want it full of security holes.

    1. Anonymous Coward
      Anonymous Coward

      Re: must be something they learned form us during the British raj.

      I doubt very much they needed to learn it from the Raj; India was doing corrupt/paranoid states when woad was still London's hottest fashion trend.

  8. John Robson Silver badge

    DNSSEC

    Then you can put your own root CA on as a TXT record, and sign your own certs.

    You still have to trust the Root DNS certs, but they've demonstrated themselves pretty responsibly up to this point

    1. TonyHoyle

      Re: DNSSEC

      DNSSEC + DANE does seem the best route, but DNSSEC rollout is basically nonexistant (none of the major banks even use it), and DANE isn't supported by any browser - it was added to Chrome then pulled.. they cynic in me says verisign is pushing out a lot of brown envelopes to keep it that way.

    2. Jamie Jones Silver badge
      Thumb Up

      Re: DNSSEC

      " You still have to trust the Root DNS certs, but they've demonstrated themselves pretty responsibly up to this point"

      Indeed. Far better than the current mishmash of companies doing it purely for profit.

      I

  9. BristolBachelor Gold badge

    Windows

    Are the Windows certs really updated on a daily basis, or just once a month on patch Tuesday/Wednesday/whatever?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like