Recently there was a WhatsApp message that UIDAI is offering a new service to enable an Aadhaar holder to block use of his biometric authentication requests through a mandatory OTP. The message indicated that the service is provided through https://resident.uidai.net.in/biometric-lock. This would mean that no agency could check biometric of an aadhaar user without his knowledge. (Assuming that an OTP message to the mobile is equal to such “Knowledge”). It was of course a security feature which can be welcomed.
However, on verification, the undersigned flagged the message as “Possible Phishing” on the basis of a couple of observations. The first was that the domain name was registered in the name of an individual and not the organization It was registered with a private sector registrar and not NIC where as the website is actually maintained by NIC . The telephone number did not appear to exist in the directory and e-mails were unanswered.
Further when the SSL certificate for the site was viewed, it was observed that the certificate was not issued by the Indian authorities but a US based private sector Certifying Authority called Geo Trust.
Also the service of locking did not appear to work since no OTP was being generated.
Considering these facts, it was reasonably suspected that the website may be a phishing site.
However, when examined further, it was found that uidai.gov.in was also registered in a personal name and had also obtained its Digital Certificate from Geo Trust. Also an acknowledgement was received from UIDAI authorities that the site is not a phishing site and is in fact genuine. It was also surprising to observe that the main UIDAI site was running in a folder named “beta” indicating that the site was not yet launched properly. For a service on which 1.2 billion Indians are registered and conducting secure transactions of all kinds including payment settlements, it was unthinkable that the site could still be in a “beta”state.
While we leave it to UIDAI to migrate to what it considers as the operating website, we need to raise the issue of
a) Why should a Government Property in the form of Domain Names uidai.gov.in or uidai.net.in be registered in the names of individuals and not the organizations.
b) Why should UIDAI get its Digital Certificate from a US based private agency and not NIC or other licensed Certifying authorities in India which includes CDAC and IDRBT which work in the Government sector.
If Government agencies donot respect the system of “Licensed Certifying Authorities” in India as per ITA 2000/8, why at all the system of licensing of Certifying Authorities exist. Is it a show of no confidence in NIC or other licensed CAs or on the CCA itself? Or is it an “Ego” issue between UIDAI and CCA or NIC?
There is already allegation that UIDAI was constantly using the hardware suppliers from US and compromising the security of the Country. Now even in the matter of digital certificates, this trend seems to continue.
I have heard of the technical arguments that Indian digital certificates throw up an error in the Web Browsers and hence the US certificates work better. But security professionals know that this happens because the root certificates of the CA and CCA are not installed in the browser by default and hence the errors do come up.
Government of India needs to persuade the browser manufacturers to incorporate the necessary root certificates as an OEM configuration and not allow Government agencies to bypass the security by allowing a foreign agency to hold the decryption key to be able to observe all transactions that happen in the UIDAI system.
I look forward to the CCA, the Ministry of Information Technology, CERT-IN, the Ministry of Home Affairs and the PMO to clarify their stand on this issue.
Comments are welcome
Naavi