Microsoft responds to Google's spoofed SSL certificates

Microsoft responds to Google's spoofed SSL certificates

Summary: Microsoft acknowledges Google's report yesterday that an improper subordinate of root-trusted certificate authority, owned by the French government, falsely issued certificates for Google and others. Microsoft has taken action and given advice.

SHARE:
4

Microsoft has issued an advisory for the unauthorized SSL certificate issuance reported yesterday by Google.

The security advisory from Microsoft states that SSL certificates had been issued "...for multiple sites, including Google web properties." So it appears the incident is not limited to Google.

The certificates were issued using an improper intermediate certificate authority certificate which itself was issued by the Directorate General of the Treasury (DG Trésor), which is subordinate to the Government of France CA (ANSSI). ANSSI is a CA present in the Trusted Root Certification Authorities Store and thus all subordinate certificates are trusted.

Other, as-yet undetected false certificates may exist. Microsoft did not say whether certificates had been issued for any of their own domains.

In response, Microsoft is updating their Certificate Trust List (CTL) for all supported released of Windows to remove "... to remove the trust of certificates that are causing this issue." Probably they will be adding the intermediate CA involved to the list of Untrusted Publishers used by the Windows Crypto libraries. These libraries are relied on by most Windows cryptographic software, including Google Chrome (but not Mozilla Firefox).

Microsoft says that devices running supported editions of Windows 8, Windows 8.1, Windows Server 2012, Windows Server 2012 R2, and Windows Phone 8 automatically update revoked certificates An installable version of this tool for versions of Windows prior to Windows 8 — but not Windows XP or Windows Server 2003 — is available from Microsoft.

A blog entry from the Microsoft Security Response Center suggests that Microsoft's Enhanced Mitigation Experience Toolkit (EMET) 4.0 may be used to help mitigate man-in-the-middle attacks which could rely on spoofed certificates by detecting untrusted or improperly issued SSL certificates through the Certificate Trust feature.

Topics: Security, Google, Microsoft

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

4 comments
Log in or register to join the discussion
  • What goes around, comes around.

    "The certificates were issued using an improper intermediate certificate authority certificate which itself was issued by the Directorate General of the Treasury (DG Trésor), which is subordinate to the Government of France"
    Tim Jordan
    • 24 hours a day

      But if the government can watch us 24 hours a day then what privacy do we have?
      Tim Jordan
  • Privacy gone

    but who cares
    Tim Jordan
  • Firefox not vulnerable by design

    If I understand the issue correctly, Firefox is not vulnerable to this. It won't accept thosse "fake" google certificates, because if it's updated CA policy. So, athough the author implies the security fix aplies only to IE and Chrome, Firefox was never vulnerable to this and so does not need the fix.

    Because or many similar incidents in late 2012 and early 2013, Firefox won't accept many subordinate CAs as trusted. Other vendors still follow more relaxed politics and so are vulnerable, having to respond to each incident as it happens. :-(

    More info at:
    http://www.cio.com/article/729085/Mozilla_Changes_Policy_to_Limit_Risk_of_Subordinate_CA_Certificate_Abuse
    fernando8