Rogue SSL Certificates Blacklisted By Microsoft Corporation
Microsoft Corporation (NASDAQ:MSFT) has taken swift action in firmly blacklisting a sub-contracted Certificate Authority for wrongful issue of SSL certificates to many Google websites. The move is significant, considering the unnerving revelations of misuse of SSL issuing powers of Certificate Authorities.
In this particular case, Google Inc (NASDAQ:GOOG) had reported that the Certificate Authority, China Internet Network Information Center (CNNIC)’s intermediate certificate to MCS Holdings of Egypt was, without authorization, used to issue SSL certificates to several Google websites.
In routine practice, a holder of intermediate certificate has the authority to issue SSL certificates to domain names. In this case, CNNIC had appointed MCS Holding as a sub-ordinate Certifying Agency, by delegating its certifying authority to the company.
On its part, MCS Holdings’ sub-CA certificate was installed in the firewall device, with capabilities to inspect SSL/TLS traffic. By nature of the installation, a proxy is created, and is famously called, Man-in-the-Middle. These are then used as part of the IT security policies, by company’s allowing employees to use HTTPS websites.
Hence, the sub-CA used to analyze SSL/TLS encrypted traffic can prove to be risky, as hackers can steal the certificate by compromising the firewall device and later using it to launch website spoofing against other internet users.
Google Inc, as well as Mozilla, had black-listed MCS Holdings’ sub-CA on Monday. The effect of such black-listing is seen in other search engines, such as Chrome and Firefox, not trusting these certificates.
Microsoft Corporation (NASDAQ:MSFT) black-listing means Internet Explorer too, does not trust the sub-CA of MCS Holdings’ any longer. It also applies to other software programs that use root certificate stores for Windows to validate the certificates.
Apart from Microsoft Corporation (NASDAQ:MSFT) blacklisting the sub-CA, Mozilla is seriously reviewing if CNNIC itself should be held responsible for issuing the intermediate certificate. Mozilla views that CNNIC has violated policies by issuing the intermediate certificate it claims.
Latest posts by Lisa Ray (see all)
- Lawsuit Over Takeover Battle Settled By Pershing And Allergan, Inc. (NYSE:AGN) - April 10, 2015 05:31 AM PST
- Walgreens Boots Alliance Inc (NASDAQ:WBA) To Shut Down 200 Stores In US - April 10, 2015 05:26 AM PST
- Amazon.com, Inc (NASDAQ:AMZN) Suing Websites For Fake Reviews - April 10, 2015 05:24 AM PST