Private keys of government websites in US hands



 Private certificates of more than 31 websites managed by the Indian government were shared with a US based company Akamai. Some of these websites include india.gov.in, digilocker.gov.in, supremecourt.gov.in, incredibleindia.org among others. Akamai is a content delivery network (CDN) provider which sort of acts as a proxy for various websites.

HTTPs is the foundation of the encrypted web. HTTPS websites need to have the SSL certificate for encrypted connection between your web browser like Google Chrome and the website you are visiting. This encrypted connection protects sensitive data you might share with the website, like a password or credit/debit card details. Because it is a fragile ecosystem, a certificate that is issued has a public key and private key for communication. The private key needs to be with the owner of the website. But, the problem here is that the government is sharing the private keys with a third party answerable to a foreign government. Because of this, even though the website uses HTTPS, the data is in clear text at the US company.

Many sites are using these services from Akamai and Cloudflare. As long as the private key is with you, this is not a problem. But, the threat perception and impact of a compromise for a startup and a government website are way different. The issue was pointed out on Saturday by an internet researcher, Kingsly John. He said "Government websites should not be using such foreign services like Akamai and Cloudlrare in the first place. Everyone's name, Aadhaar and mobile number are first sent in clear text to a US company's servers before they reach the government server. A whole bunch of government websites seem to be using Akamai which can be forced by the US to hand over any/all data. This is a disgrace and impacts national security."

It may be mentioned here, that last year the Reserve Bank of India was using such a certificate from a company Cloudflare, but soon rectified it. RBI is now serving directly from its servers instead of using proxy.

Moreover, instead of generating a certificate for each website, NIC has generated a single certificate for dozens of websites and handed them over to Akamai. Because of this, the US government, or Akamai or anyone else can conduct a man-in-the-middle attack and collect all the data without anyone knowing it, and can send false data which users cannot differentiate.

While it was quite rare to see a single certificate for many domains, he added that if one certificate were leaked, dozens of government websites would be compromised.

More problematic is that many domains and sub domains that are listed in the certificate do not even use Akamai's network.

Post a Comment

Previous Post Next Post