Microsoft Revokes Digital Certs To Guard Against Possible Attacks, Surveillance


Microsoft issued an emergency security update for Windows users, revoking rogue digital certificates that could have been used to perform phishing or spoofing attacks or intercept SSL-encrypted connections to support surveillance activity against users of Gmail, Yahoo Mail and other Google and Yahoo services.

The Redmond, Wash.-based software maker issued a security advisory late Thursday, updating its Certificate Trust List in all supported releases of Windows. The update removes "the trust of mis-issued third-party digital certificates," said Dustin Childs, group manager of Microsoft Response Communications in a blog post Thursday.

The rogue SSL certificates were issued by the National Informatics Centre (NIC), an agency under India's Department of Electronics and Information Technology, the division of the government of India that controls the country's Trusted Root Certification Authorities Store.

[Related: Symantec's Certificate Authority 'Vault': $11M Worth Of James Bond-Like Security]

SSL certificates are sought by website owners to establish a secure connection with visitors.  It validates the authenticity of the site, creating an https connection represented by a padlock character in the browser URL bar. An attacker could use a stolen or erroneously issued certificate to spoof content that supports phishing campaigns or conduct a man-in-the-middle attack to view messages and other information.

Microsoft said it was unaware of any attacks carried out using the certificates. In addition to Gmail and Yahoo Mail, Microsoft lists more than 40 other Web properties that certificates were issued for, including Static.com, a company that sells website hosting, virtual machine instances and a white-labeled cloud hosting platform as a service to solution providers.

"The subordinate CA certificate may also have been used to issue certificates for other, currently unknown sites, which could be subject to similar attacks," Microsoft said in its advisory.

Google took steps to protect users in India against attacks, limiting certificate support for Chrome users to seven domains. The digital certificates were included in the Microsoft Root Store and would be trusted by many programs running on Windows, including Internet Explorer and Chrome, said Adam Langley, a Google security engineer, in an announcement about the incident on Tuesday. Langley said Google became aware of the problem last week and pushed out an update to block the certificates in Chrome.

A certificate for a Yahoo domain was also issued, Langley said in an update on Wednesday.  The scope of the problem is not yet known, he said.

Microsoft has issued seven advisories to revoke rogue digital certificates since 2011.

Solution providers say the faith in digital certificates has eroded in recent years following a string of lapses at Certificate Authorities that are supposed to issue certificates only after verifying the authenticity of a domain owner. A 2011 data breach at Comodo leaked nine digital certificates for domains used for Skype, Mozilla, Google and Yahoo. That same year, DigiNotar, a Dutch certificate authority issued 500 rogue certificates that were believed to have been used against Iranian users of Gmail and other Google services.

The leaks could be tied to corporate or government surveillance activity, said one solution provider that sells hosted services to clients.

"It's a security mechanism that is supposed to be a protection and establish trust by verifying the legitimacy of Internet services, but that trust is no longer there," said the solution provider, who declined to be identified.  "This is a case of the Internet truly being the wild, wild west."

PUBLISHED JULY 11, 2014