Despite the security breach happening at NIC, Google holds India CCA responsible as well because NIC's CA operated under its authority.
"A root CA is responsible for all certificates issued under its authority," Langley said. "In light of this, in a future Chrome release, we will limit the India CCA root certificate to the following domains and subdomains thereof in order to protect users: gov.in, nic.in, ac.in, rbi.org.in, bankofindia.co.in, ncode.in, tcs.co.in," he said.
SSL certificates for any other domain names that chain back to India CCA will no longer be accepted in Chrome.
NIC is not the first government-run certificate authority to issue rogue certificates. In September 2013, a CA certificate owned by the Treasury department of the French Ministry of Finance was used to issue rogue certificates for several Google domain names. The incident was the result of human error.
In July 2011, a hacker broke into the infrastructure of DigiNotar, a certificate authority used by the Dutch government, and issued hundreds of rogue certificates for high-profile domains. DigiNotar filed for bankruptcy following the security breach.
Incidents like these have raised questions about the security and trustworthiness of the public key infrastructure (PKI) in which hundreds of certificate authorities operated by private and public organizations have the power to issue certificates for any domain on the Internet that would be trusted by most browsers and operating systems. Several technical solutions have been proposed to limit the possible impact of CAs being compromised, but none of them have been widely adopted so far.
Google Chrome has a feature called public-key pinning that only accepts pre-defined certificates for some high-profile domain names. This feature would have prevented the rogue Google certificates issued by NIC from being used against Chrome users, but the solution only protects a limited number of popular domains.
Sign up for Computerworld eNewsletters.