Deficiency in Estonian ID card certificates discovered by checks performed by Google concerns close to 250,000 ID-card holders including all of the about 5,000 e-residents.
On September 15th it surfaced that while developing its web browser called Chrome, Google has toughened the formal control of certificates. «The screws were turned so tight as to hit somewhat about several hundred Estonian ID cards, digital identity cards, and, there’s no denying – the e-resident cards. No longer do these pass Google Chrome’s tough security conditions and logging into the website is impossible,» described Republic of Estonia Information System Authority (RIA) analyst Anto Veldre writing in RIA blog yesterday.
Mr Veldre said the glitch is in that the certificate ought to begin by certain agreed bits – the modules should be positive, but the certificates created by AS Sertifitseerimiskeskus (Certification Centre) started with minus bits.
«There’s no direct security hazard posed by these minus-bits. Setting the bits the other way round will not directly lower anyone’s privacy nor will any data leak out anywhere. It’s just not nice to ignore the standard,» explained the analyst.
Mr Veldre said, however, that such «misinterpretation» of bits was in contradiction even with the certification centre’s own in-house standard and it is strange how a mistake like that could pass thru the enterprise’s control mechanisms.
«This is definitely nonconformity to standards by us. In our software development, we let an error slip thru. The reason the error passed, and permanently so, was that no browser had discovered it before and with these our ID card works excellently till this day,» explained certification centre chief Kalev Pihl.
In order to spare all owners of ID cards with faulty certificates from having to visit Police and Border Guard Board offices – especially with the nearly 5,000 e-residents in mind – RIA will again create the option to update ID card certificates and software in the Internet.
RIA electronic identity department head Vallo Veinthal said the remote update option is a must as otherwise it would be difficult to ensure interworking of Estonian ID card with the constantly renewed operating systems and web browsers.
The nearly 250,000 ID cards with faulty certificates were issued during a year starting September 2014. This is the time bracket wherein all Estonia’s e-resident cards were issued. Unless the error is fixed during the six months to come, people will not be able to authenticate themselves with future versions of Google Chrome web browser.