Cash prizes amounting to ₹3.4 crore are being promised to developers who help create an indigenous Indian web browser “for the world”, the Ministry of Electronics and Information Technology announced on Wednesday. An important caveat is that browser ideas entered into this competition will have to trust the Controller of Certifying Authorities (CCA), the Indian government’s authority for digital signatures, including SSL (Security Sockets Layer) certificates.
SSL certificates are used to encrypt websites and to make sure that browsers know that a website is not being modified or impersonated by attackers. Browsers know to trust these certificates if they are issued by a certifying authority that is in turn trusted by a ‘root certifying authority’. India does not have a root certifying authority trusted by major browsers like Google Chrome, Mozilla Firefox, and Microsoft Edge.
This has led to a situation where the government operates a root certifying authority that is legally valid under Indian law — the Root Certifying Authority of India, set up in 2000 under the CCA — but the certificates issued under its purview are largely not recognised by web browsers, leading Indian government and private websites to purchase SSL certificates from foreign certifying authorities.
This follows at least one major security lapse linked to an Indian certifying authority. One CCA-approved organisation — the National Informatics Centre (NIC), which hosts and maintains several Union and State Government websites — has had a contentious history as far as being trusted by browsers goes.
In July 2014, operating systems such as Windows and web-browser developers for Google Chrome and Firefox stopped trusting India’s CCA in their ‘root store,’ a repository of trusted root certifying authorities, after the NIC appeared to issue fraudulent certificates to websites. The CCA revoked NIC’s authorisation for issuing most SSL certificates, but operating systems and browsers still do not have RCAI-approved authorities in their trust stores.
Even the website of the Indian Web Browser Development Challenge, as the competition is called, bears an SSL certificate through Let’s Encrypt, a non-profit initiative by the California-based Internet Security Research Group.
Most of CCA’s work is currently around digital signatures accepted on documents; but on SSL certificates, Indian websites have had to defer to the trustworthiness of certifying authorities abroad. Officials have framed the effort to create a browser that trusts Indian certifying authorities as a matter of reducing foreign dependence.
“There is a huge amount of foreign exchange outflow which is happening” to foreign certifying authorities, Arvind Kumar, the Controller of Certifying Authorities, said at the competition’s launch. “Around ₹100 crore are being spent buying these SSL certificates overseas annually.”
The competition is being organised and financed in collaboration with the IT Ministry’s Research and Development division and the National Internet Exchange of India.
