Microsoft warns of fraudulent digital certificate issued by DigiNotar

News

Microsoft warns of fraudulent digital certificate issued by DigiNotar

Warwick Ashford

Microsoft has issued a security advisory warning of at least one fraudulent digital certificate issued by root certificate authority (CA) DigiNotar.

Digital certificates are used primarily to verify the identity of a person or device, authenticate a service or encrypt files.

Microsoft notes that DigiNotar has since revoked the digital certificate which, according to the security advisory, affected all subdomains of google.com.

"This is not a Microsoft security vulnerability; however, the certificate potentially affects internet users attempting to access websites belonging to Google," said Dave Forstrom, director of Microsoft's Trustworthy Computing division.

A fraudulent certificate may be used to spoof web content, perform phishing attacks or perform man-in-the-middle attacks against end users, he wrote in a blog post.

Microsoft is working with DigiNotar to find out if there are any other certificates that have been issued without sufficiently validating the identity of the requester, Dave Forstrom said. Microsoft has taken steps to protect customers by removing the DigiNotar root certificate from the list of trusted root certificates on Windows, he said.

"Websites with certificates issued by DigiNotar will no longer be trusted by Windows Vista and above. This protection is automatic and no customer action is required," Forstrom said.

Users of these operating systems will be presented with an invalid certificate error when they browse to a website or try to install programs signed by the DigiNotar root certificate.

Microsoft plans to release a future update to address this issue for all supported editions of Windows XP and Windows Server 2003.

Security pundits have commented on Twitter that the incident shows that the market for SSL certificates is broken. The lack of legal liability for CAs such as DigiNotar - which issue fraudulent certificates without sufficiently validating the identity of the requester - has drawn criticism.


Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
 

COMMENTS powered by Disqus  //  Commenting policy