Cyber Incident Victim: National Informatics Centre

In July 2014, Google identified fraudulent digital certificates for its domains issued by India’s National Informatics Centre (NIC), which operated as a subordinate certificate authority under the Indian Controller of Certifying Authorities (India CCA). The NIC’s intermediate CA certificates were trusted by the India CCA, whose root certificate was included in Microsoft’s trusted root store. This meant most Windows applications relying on SSL/TLS would automatically trust certificates issued by the NIC. Google security engineer Adam Langley confirmed Chrome users and other Google product users were protected from spoofing due to certificate pinning, a security feature that enforces trust only for predefined certificates. Google promptly notified the NIC, India CCA, and Microsoft of the incident. Microsoft responded by revoking the NIC’s certificate authority status, preventing further misuse. The India CCA published a notice on its website stating it had suspended three CA certificates issued to NIC and updated Certificate Revocation Lists (CRLs) to invalidate them.

The incident’s impact was primarily limited to systems trusting the Microsoft root store, as other major platforms—including Apple, Mozilla Firefox, Chrome OS, and Android—did not include the India CCA root certificate. Google reinforced protections by distributing CRLSets updates to block the fraudulent certificates across its services. The NIC, described as India’s premier government ICT organization, saw its certificates distrusted following the incident. Error messages in Chrome and other services began explicitly rejecting connections authenticated by NIC-issued certificates. No evidence suggested user data was compromised, as Google’s existing TLS/SSL safeguards neutralized the threat. The India CCA’s public notice emphasized ongoing updates but did not elaborate on the "security reasons" behind the suspension.