Hacker News new | past | comments | ask | show | jobs | submit login
India goes digital (digilocker.gov.in)
95 points by pranavk on Mar 8, 2015 | hide | past | web | favorite | 40 comments

Ok, lot of negative impressions here. Only 10MB space, bad ssl cert etc. These things are easily fixable in future updates.

The reason this is nice to have is this quote from the site:

"How is DigiLocker going to help me?

It will minimize the use of physical documents and will provide authenticity of the e-documents It will provide secure access to Govt. issued documents. It will also reduce administrative overhead of Govt. departments and agencies and make it easy for the residents to receive services."

For people having issues with CA - It is not the CA that is the problem (it is not a famous CA, but is known, at least by Chrome), the problem is that they probably shortened the domain too late and are still using the old configuration. Use the URL below, the certificate works fine. It's just for the wrong domain:


Edit: I'm unable to login though. I get the OTP from Aadhaar just fine, but the website doesn't seem to be able to verify it.

Edit 2: It worked after a couple of tries. Looking at the trail, it is probably some issue with Aadhaar and not this website. It does look really neat. You basically upload copies of your IDs and then agencies can request it. You get to approve. They are pulling UID data so it's quick to set up. I think the point of this is that you can link all other IDs with UID so people just have to ask for you Aadhaar number, no paper ID copies or forms. I wish they just integrated this into UID system like they link bank accounts, that way developers would have a single UIDAI API for identity, bank accounts and other IDs.

I am getting the certificate error even at the link you provided ( using Google Chrome on Ubunut 14.04 ).

I investigated further. It works fine on Mac and Windows 8.1. Apparently your operating system doesn't support the CA yet. I don't have Ubuntu, but I do have a linux based system, and it fails there too.

They are using a relatively new sub-CA of e-Mudhra, so it will appear everywhere soon, I believe.

If you're really willing to use it now, SHA1 of verified certificate is 56 7F 2D B5 7E 31 BC E5 6C 5C 8C 3B 80 44 AA 2F 7C 13 D3 6D. Not ideal way at all, but might help paranoia. You shouldn't trust me though.

The Certificate seems to be verified by a "Gujarat Narmada Valley Fertilizers Company Ltd."

Speaking as an Indian, I am not sure i would trust a CA run by a company that is close to the Indian govt. (whose record on corruption and civil liberties isn't exactly stellar).

The whole point of the CA system is that there is no place for personal opinion on which CA to trust, as long as they make it to your operating system. The audits they go through far trumps the hand waiving you just did.

Using OSX 10.10 & Chrome 41.0. Doesn't work.

I'm on Mac and Chrome. It's not working.

I think that uses Mozilla's root store that don't have the root. Microsoft's root store that is used on Windows has it.

It's kind of hilarious that their certificate is signed by "Gujarat Narmada Valley Fertilizers Company Ltd."

I'm leaving aside the certificate issue for a moment since others have mentioned it. This solution is a great way for hackers and phishers to collect a lot of personal information. Perhaps this is done with very good intentions, but is really poorly thought out. I wonder who architects these solutions and how they think.

See the following question in the FAQ (I've edited it for brevity with ellipsis and emphasized important parts). [1]

>Q11 How can I share the e-documents in my digital locker?

>A11 For sharing your e-document...enter the email address of the recipient in the dialog box and click ‘Share’ button.

>The document will be shared with the recipient via email. ...email body will have the URI link of the document and the sender name and Aadhaar number. The recipient can access the document using the URI link provided in the email.


1. You share your document, which is sent over plain text email.

2. The recipient can access it just with a link. There is no authentication or verification of any kind.

3. The recipient can forward the mail to data collectors so they can immediately get your name, your Aadhaar number and the document. There is no link expiry, which allows perpetual abuse of information by forwarding emails. This technology makes selling information a lot simpler and quicker.

4. Someone else's email account gets hacked? Thousands or millions of names, Aadhaar numbers and documents could be out on torrents soon enough. Talk about government enabling things through technology.

Even if you trust the government to store all your documents, even though some may be issued by local authorities, this looks more and more like a comprehensive and centralized data collection mechanism. The next step, which may or may not be disclosed, would be to provide access to every government entity to query this database without any control or limits or oversight. For a country without any privacy laws, they already have your biometric information, now they can completely own you. :)

[1]: https://digitallocker.gov.in/Resources/FAQ-Digital_Locker_v0...

No, no, no. The link they send requires Aadhaar verification, your will get an OTP, which you will give to the agency. They can get the copy of the document only if they provide the right OTP. It is the same way you are logging in to this website.

The whole UID infrastructure is two-factor auth by default. Think of the URI like Facebook Graph API URLs. They are static, REST-ful endpoints that require two-factor authentication.

While there are no strong laws to protect scans of your IDs, the biometric data does come under The Privacy Bill, 2013. So does any identification typically used by financial institution. Your other IDs, like Voter ID are public information anyway, except for biometric identifiers.

Background: Almost all govt / public sector / regulated private sector services in India requires you to submit a physical proof of ID/Address (along with application forms & other essentials) e.g. bank account, mobile SIM, gas/water/electricity, credit card etc.

It's unlike US where your SSN is electronically linked to your identity & credit history and most of the above stuff can be done without any physical documents.

The Aadhar (literally means foundation) card is trying to provide a unified identification across the country. Perhaps like an SSN to some extent.

I feel the Feedback page might need some work. Right now is seems like all the submitted feedback is made public with no approval.


SCREENSHOTS - http://imgur.com/a/k9mCf (read notes below)

For people who have negative opinions about this, hold on. There's more to the DigitalLocker than you think. I tried using this the day it launched (a few weeks ago). Here are a few things for people who haven't tried it.

1.) Apart from storing documents, the other important feature is to share documents with entities (seems like both govt and private). Right now in India, for anything new you want to signup for in the offline world, you are usually asked for multiple ID and address proofs. This site has a feature to share stored documents when entities request for it. So you get document requests from entities (just like Facebook friend requests) and you approve them to share the documents required. Way better than having to carry xerox copies to the office of the entity.

2.) It also looks like entities can issue you documents. If implemented, then we wouldn't have to about carrying and safe-guarding physical copies of documents. I have about 20-30 physical documents I need to safe-guard and more than a dozen marks cards from college. Imagine just receiving a notification that the document for your new insurance policy has been received in your digital locker? Ah such minimalistic life.

3.) Love the simple Aadhaar-based login process. That is so layman-friendly. Entered my Aadhaar card number to get an OTP to login. Most Indian govt sites have ridiculous rules about setting passwords - all of which I cannot remember at all. Even worse changing your account email or password on those sites is a nightmare. To change the email address on the Service Tax website, I have to write a paper-based request to the authority.

4.) You can store any document you want to. This isn't limited to government issued IDs. There's an "other" category when uploading.

5.) I've been using Dropbox to store scanned copies of my family's important documents. It has come handy many times. It is the govt offering to digitally store govt-issued documents. Why would I bother about privacy? I'm glad they made this.

6.) About the SSL cert: AFAIK they seem to have broken the site during a recent update. SSL was fine during the launch day. Oh, and when the Indian govt website specifies "beta" version - they literally mean it. And this site isn't as bad as booking a Railway tatkal ticket on IRCTC, for which there are tutorials and videos on how to use the site. I've forgotten my IRCTC username/password again and I've exhausted all mobile numbers in the house to signup for new account. I'll have to get a new sim just to book a railway ticket next time.

Mailed the DigitalLocker team my concerns about the 10mb limit and also offered to send code contributions if it was opensource. I got back a very quick reply:

  It is not a open source project, but you can contribute by your valuable suggestions as it is still running in beta Version.
  Regarding Storage space we have noted the issue. Inconvenience regretted.
  We shall review and resolve the same as soon as possible.
Besides it's been mentioned in the FAQ, that the storage limit will be increased to 1gb in the future https://digitallocker.gov.in/Resources/FAQ-Digital_Locker_v0...

[EDIT: I've edited my comment multiple times to add more information]

Thanks to its bad cert, an attacker could MITM it and then the user would simply click past the error and give his Aadhar details to the attacker.

Please change 'xerox copies' to 'photocopies', except Indians others might not understand :)

ROFL. Thanks for pointing out. I was thinking exactly the same when writing that, but still went ahead with "xerox copies" thinking it might be ok.

Cannot edit my comment anymore.

According to the FAQs, every resident only gets 10 MB of storage space, with plans to expand to 1 GB in the future. Basically, it's a government-controlled Dropbox for 3 - 5 PDF files.

Additionally, a government run dropbox isn't very reassuring. This would the equivalent of the NSA hosting backups of all your data (which they probably do - but still).

This looks like not as Dropbox. A service for storing govt "issued" digital documents.

An SSL Cert would be helpful to assure me of its security.

Yeah, the current cert has CN mismatch and is issued by an unknown CA [1].

[1] https://www.ssllabs.com/ssltest/analyze.html?d=digilocker.go...

For those who are interested, (and for those who think this is some half-hearted project fulfilling various conspiracy theories,) the New Yorker wrote a good story about the origins of the Aadhaar project and its goals a while back: http://www.newyorker.com/magazine/2011/10/03/the-i-d-man

Seems like a relatively basic CRUD site. Considering the SSL issues which apparently weren't tested properly and the immediately published feedback that shows tons of private data from people, I really, really hope that the site won't be hacked in the next month or two. Seems like a prime target for folks looking to commit identity theft :-/

This Connection is Untrusted

You have asked Firefox to connect securely to digilocker.gov.in, but we can't confirm that your connection is secure.

Too bad they can't afford SSL certificates. I'll never get to know just how digital India went.

You meant India Government goes digital - there is a day and night difference. And if you think your data is safe with any government - you should be day dreaming!

How does this work for NRIs? How do I get Aadhaar number?

I don't know how you can get one but you shouldn't get it. Do you really want to give all your fingerprints and retina scans to the government when you know how it can be misused in a country like India which is a police state? I bet there is no oversight in getting access to your information and there are tons of ways in which your information can be misused/exploited.

As a resident Indian at least there's going to be little choice left as more and more services "recommend" using an Aadhar number for refunds and benefits. In any case lack of fingerprints hasn't exactly prevented abuse such as bringing false charges etc in the past.

>when you know how it can be misused in a country like India which is a police state

Do you have anything resembling a proof for the utter BS you just wrote?


Yes, we need proof.

You've asserted many things. But with no links to any proof.

Every question you asked above, also applies to the US.

I'm not going to bother providing links until you do.

> a country like India which is a police state

> Haha. Do we have a "nationalist" here who seems to be hurt?

These comments violate the HN guidelines. Please read those and follow them:


They need a warrant to arrest you.

I second your opinion on this one. More serious was the fact that Nandan Nilekani was far too keen on getting to the seat of prime minister/enter politics and much less interested in the outcome of the project. Broken karma, criminal wastage of taxpayers' money and a ton of vapor.

India, a police state ? You're kidding, right ?

It's government is supremely incompetant, but a evil police state, it is not. If anything, it is a functioning anarchy with a - largely - parasitic Government.

Valid ssl cert would help

A Hacker heaven..

Funny that I just mentioned the CA that issued the cert for this site in https://twitter.com/yuhong2/status/574416966460403712

FYI, the Mozilla inclusion request is in https://bugzilla.mozilla.org/show_bug.cgi?id=557167

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact