Microsoft Judges DigiNotar SSL Certificates 'Untrustworthy'


Microsoft has decided all DigiNotar certificates are untrustworthy, and is migrating the compromised SSL certificates to Windows' block list, called the Untrusted Certificate Store .

The move essentially blocks all Windows computers from accepting the Dutch certificate authority’s SSL certificates.

In addition, Redmond also extended support for customers using Windows XP, Windows Server 2003 and all Windows supported third party applications, protecting all Windows systems against possible exploits resulting from the SSL hack.

Microsoft’s Tuesday update revokes the trust of DigiNotar root certificates , which include DigiNotar Root CA, DigiNotar Root CA G2, DigiNotar PkIoverheid CA Overheid, DigiNotar PKIoveheid CA Organisate-G2, and DigiNotar PKIoverheid CA Overheid en Bedrijven.

“We recognize this issue as an industry problem, and we have been actively collaborating with certificate authorities, governments and software vendors to help protect our mutual customers,” Microsoft said in a blog post Tuesday.

DigiNotar announced last week that it experienced a massive SSL hack that had compromised certificates for a wide swath of domains, including Google.com.

The Dutch certificate authority set about revoking hundreds of the fraudulent SSL certificates. However, others apparently fell through the cracks when DigiNotar said last week that it had overlooked SSL certificates for Google.com, as well as Mozilla, and Microsoft and others, in an attack appearing to be sourced from Iran.

An independent audit commissioned by the Dutch government, conducted by security firm Fox-IT, revealed that the Google accounts of around 300,000 Iranians had been compromised by the SSL hack , in what some suspect was an Iranian government attempt to spy on its citizen’s web activities, according to the report.

Cyber criminals who hack into digital certificates could impersonate legitimate domains such as Google.com and redirect traffic to the bogus sites in order to spy on Web activities or steal login credentials, credit cards or other personal information that the victims entered.

News of the widespread SSL certificate compromise prompted high-profile customers such as Google, Microsoft and Mozilla to blacklist hundreds of DigiNotar-issued SSL certificates last week.

And security researchers contend that the fallout manifested by a mass customer blacklisting likely spelled the beginning of the end for the Dutch CA.

“It’s game over for DigiNotar,” said Andrew Storms, director of security operations at security firm nCircle, in an e-mail. “Very soon they will officially no longer be a valid entity to issue certificates.”

The hack could have far-reaching implications for the Netherlands. The Dutch government publicly announced Tuesday that DigiNotar’s certificates were not to be trusted and expanded an investigation in order to determine if the hack had compromised the country’s citizens when they were filing income taxes online.

Among its myriad of customers, DigiNotar provided SSL services for DigiD, a Dutch government site that enabled citizens to access a slew of online services, including filing taxes, registering for universities and donating organs.

Meanwhile, Microsoft said that it would not extend the update to Dutch users for at least a week—a delay that could potentially give the Dutch government enough time to update their web sites, Storms said.

NEXT: Implications Of SSL Hack Severe For Dutch Government