Share

Related Links

Top 5 Stories

News

Microsoft warns of fraudulent digital certificate issued by DigiNotar

30 August 2011

Microsoft has issued a security advisory warning of at least one fraudulent digital certificate issued by root certificate authority (CA) DigiNotar.

Digital certificates are used primarily to verify the identity of a person or device, authenticate a service or encrypt files.

Microsoft notes that DigiNotar has since revoked the digital certificate which, according to the security advisory, affected all subdomains of google.com.

"This is not a Microsoft security vulnerability; however, the certificate potentially affects internet users attempting to access websites belonging to Google," said Dave Forstrom, director of Microsoft's Trustworthy Computing division.

A fraudulent certificate may be used to spoof web content, perform phishing attacks or perform man-in-the-middle attacks against end users, he wrote in a blog post.

Microsoft is working with DigiNotar to find out if there are any other certificates that have been issued without sufficiently validating the identity of the requester, Dave Forstrom said. Microsoft has taken steps to protect customers by removing the DigiNotar root certificate from the list of trusted root certificates on Windows, he said.

"Websites with certificates issued by DigiNotar will no longer be trusted by Windows Vista and above. This protection is automatic and no customer action is required," Forstrom said.

Users of these operating systems will be presented with an invalid certificate error when they browse to a website or try to install programs signed by the DigiNotar root certificate.

Microsoft plans to release a future update to address this issue for all supported editions of Windows XP and Windows Server 2003.

Security pundits have commented on Twitter that the incident shows that the market for SSL certificates is broken. The lack of legal liability for CAs such as DigiNotar – which issue fraudulent certificates without sufficiently validating the identity of the requester – has drawn criticism.

This story was first published by Computer Weekly

This article is featured in:
Internet and Network Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×