Our website uses cookies

Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing Infosecurity Magazine, you agree to our use of cookies.

Okay, I understand Learn more

Microsoft warns of fraudulent digital certificate issued by DigiNotar

Digital certificates are used primarily to verify the identity of a person or device, authenticate a service or encrypt files.

Microsoft notes that DigiNotar has since revoked the digital certificate which, according to the security advisory, affected all subdomains of google.com.

"This is not a Microsoft security vulnerability; however, the certificate potentially affects internet users attempting to access websites belonging to Google," said Dave Forstrom, director of Microsoft's Trustworthy Computing division.

A fraudulent certificate may be used to spoof web content, perform phishing attacks or perform man-in-the-middle attacks against end users, he wrote in a blog post.

Microsoft is working with DigiNotar to find out if there are any other certificates that have been issued without sufficiently validating the identity of the requester, Dave Forstrom said. Microsoft has taken steps to protect customers by removing the DigiNotar root certificate from the list of trusted root certificates on Windows, he said.

"Websites with certificates issued by DigiNotar will no longer be trusted by Windows Vista and above. This protection is automatic and no customer action is required," Forstrom said.

Users of these operating systems will be presented with an invalid certificate error when they browse to a website or try to install programs signed by the DigiNotar root certificate.

Microsoft plans to release a future update to address this issue for all supported editions of Windows XP and Windows Server 2003.

Security pundits have commented on Twitter that the incident shows that the market for SSL certificates is broken. The lack of legal liability for CAs such as DigiNotar – which issue fraudulent certificates without sufficiently validating the identity of the requester – has drawn criticism.

This story was first published by Computer Weekly

What’s Hot on Infosecurity Magazine?