Microsoft has issued a security advisory warning of at least one fraudulent digital certificate issued by root certificate authority (CA) DigiNotar.
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
Digital certificates are used primarily to verify the identity of a person or device, authenticate a service or encrypt files.
Microsoft notes that DigiNotar has since revoked the digital certificate which, according to the security advisory, affected all subdomains of google.com.
"This is not a Microsoft security vulnerability; however, the certificate potentially affects internet users attempting to access websites belonging to Google," said Dave Forstrom, director of Microsoft's Trustworthy Computing division.
A fraudulent certificate may be used to spoof web content, perform phishing attacks or perform man-in-the-middle attacks against end users, he wrote in a blog post.
Microsoft is working with DigiNotar to find out if there are any other certificates that have been issued without sufficiently validating the identity of the requester, Dave Forstrom said. Microsoft has taken steps to protect customers by removing the DigiNotar root certificate from the list of trusted root certificates on Windows, he said.
"Websites with certificates issued by DigiNotar will no longer be trusted by Windows Vista and above. This protection is automatic and no customer action is required," Forstrom said.
Users of these operating systems will be presented with an invalid certificate error when they browse to a website or try to install programs signed by the DigiNotar root certificate.
Microsoft plans to release a future update to address this issue for all supported editions of Windows XP and Windows Server 2003.
Security pundits have commented on Twitter that the incident shows that the market for SSL certificates is broken. The lack of legal liability for CAs such as DigiNotar - which issue fraudulent certificates without sufficiently validating the identity of the requester - has drawn criticism.