Microsoft responds to Google's spoofed SSL certificates

Microsoft acknowledges Google's report yesterday that an improper subordinate of root-trusted certificate authority, owned by the French government, falsely issued certificates for Google and others. Microsoft has taken action and given advice.

Microsoft has issued an advisory for  the unauthorized SSL certificate issuance reported yesterday by Google .

The security advisory from Microsoft  states that SSL certificates had been issued "...for multiple sites, including Google web properties." So it appears the incident is not limited to Google.

The certificates were issued using an improper intermediate certificate authority certificate which itself was issued by the Directorate General of the Treasury (DG Trésor), which is subordinate to the Government of France CA (ANSSI). ANSSI is a CA present in the Trusted Root Certification Authorities Store and thus all subordinate certificates are trusted.

Other, as-yet undetected false certificates may exist. Microsoft did not say whether certificates had been issued for any of their own domains.

In response, Microsoft is updating their Certificate Trust List (CTL) for all supported released of Windows to remove "... to remove the trust of certificates that are causing this issue." Probably they will be adding the intermediate CA involved to the list of Untrusted Publishers used by the Windows Crypto libraries. These libraries are relied on by most Windows cryptographic software, including Google Chrome (but not Mozilla Firefox).

Microsoft says that devices running supported editions of Windows 8, Windows 8.1, Windows Server 2012, Windows Server 2012 R2, and Windows Phone 8 automatically update revoked certificates An installable version of this tool for versions of Windows prior to Windows 8 — but not Windows XP or Windows Server 2003 — is available from Microsoft.

A blog entry from the Microsoft Security Response Center suggests that Microsoft's Enhanced Mitigation Experience Toolkit (EMET) 4.0 may be used to help mitigate man-in-the-middle attacks which could rely on spoofed certificates by detecting untrusted or improperly issued SSL certificates through the Certificate Trust feature.