Google fights off attacks via fraudulent certs | SC Media
Breach, TDR

Google fights off attacks via fraudulent certs

July 9, 2014

On Tuesday, Google announced that it had stepped in to quell a threat impacting Windows users – fraudulent digital certificates in India linked to several Google domains.

Last Wednesday the tech giant became aware of the certs, which had been “misissued,” or deemed trusted, by a certificate authority in India, the National Informatics Center (NIC).

Google – which blocked the fraudulent certs in Chrome with a CRLSet push – alerted NIC, the Indian Controller of Certifying Authorities (India CCA) and Microsoft about the incident. In turn, the certs were also revoked by India CCA, a blog post by Google security engineer Adam Langley said.

Langley explained that the abused certs were included in the Microsoft Root Store and, therefore, “trusted by the vast majority of programs running Windows, including Internet Explorer and Chrome.” Firefox web browser users were not vulnerable, Langley said.

prestitial ad