According to the reports published on Windows help forums online, Microsoft recently had to deal some issue with fake security certificates issued by the Indian online certification authority, Controller of Certifying Authorities (CCA). These reports claim that there was some breach in the CCA certification process and that fake certificates have been issued as a result.
What are the security implications for Windows OS users?
In simple language, what this means is that the Windows OS and the browser applications using these certificates can be easily fooled by fake websites posing as genuine ones. So far, only the Google and Yahoo websites are mentioned in these reports. It is clear that the hackers targeted these websites for the reason that they are so widely used around the globe.
When you are accessing a website online, the operating system or the browser checks its security certificate to verify authenticity of the website. It is easy to set up a fake website, but, without proper security certificates, these websites can be easily identified as fakes. These digital certificates are issued by different certification authorities, like the CCA in India, mentioned above.
In this case, certificates were issued by the National Informatics Center (NIC) of India on behalf of CCA, as is the norm. The fake certificates issued by NIC were first detected by the Google’s security and they immediately alerted both CCA and Microsoft of this. Microsoft has now identified these fake security certificates from their library and issued a warning to its users on its official websites and Windows help forums online.
The Google Security team has also published a report on this breach on their Google Online Security blog site. In this blog post, it is mentioned that Google and Yahoo were the main targets for this hacking attack. But, they point out that many other websites might have been affected by this problem.
Since different browsers use different security certification verification systems, not all of them were affected by this problem. For example, Google Chrome and Internet Explorer rely on Microsoft Root Store, where the certificates to verify the authenticity of these websites are stored. But, Mozilla Firefox uses their own root store for this.
Since fake certificates were found only in the Microsoft Root Store, Firefox browser users have nothing to worry about. Visit the Google Online Security blog site to read their full report on this.