NIC’s SSL Certificate Process Was Compromised; Forged Google SSL Certificates

India’s NIC (National Informatics Center) had issued unauthorized digital certificates for several Google domains and upon investigation, NIC realized that issuance process was compromised, but only four certificates were misissued. The four certificates provided included three for Google domains and one for Yahoo domains.

As per Google, the breach is minimal – as India CCA certificates are included in the Microsoft Root Store and thus are trusted by the vast majority of programs running on Windows, including Internet Explorer and Chrome. Google affirms that Firefox is not affected because it uses its own root store that doesn’t include these certificates. Chrome on Windows would not have accepted the certificates for Google sites because of public-key pinning, although misissued certificates for other sites may exist.[official blog]

Due to this breach, Google has announced that for future Chrome releases, it will limit the India CCA root certificate to the following domains and subdomains thereof in order to protect users: