Rogue SSL Certificates Blacklisted By Microsoft Corporation


Microsoft Corporation (NASDAQ:MSFT) has taken swift action in firmly blacklisting a sub-contracted Certificate Authority for wrongful issue of SSL certificates to many Google websites. The move is significant, considering the unnerving revelations of misuse of SSL issuing powers of Certificate Authorities.

In this particular case, Google Inc (NASDAQ:GOOG) had reported that the Certificate Authority, China Internet Network Information Center (CNNIC)’s intermediate certificate to MCS Holdings of Egypt was, without authorization, used to issue SSL certificates to several Google websites.

In routine practice, a holder of intermediate certificate has the authority to issue SSL certificates to domain names. In this case, CNNIC had appointed MCS Holding as a sub-ordinate Certifying Agency, by delegating its certifying authority to the company.

On its part, MCS Holdings’ sub-CA certificate was installed in the firewall device, with capabilities to inspect SSL/TLS traffic. By nature of the installation, a proxy is created, and is famously called, Man-in-the-Middle. These are then used as part of the IT security policies, by company’s allowing employees to use HTTPS websites.

Hence, the sub-CA used to analyze SSL/TLS encrypted traffic can prove to be risky, as hackers can steal the certificate by compromising the firewall device and later using it to launch website spoofing against other internet users.

Google Inc, as well as Mozilla, had black-listed MCS Holdings’ sub-CA on Monday. The effect of such black-listing is seen in other search engines, such as Chrome and Firefox, not trusting these certificates.

Microsoft Corporation (NASDAQ:MSFT) black-listing means Internet Explorer too, does not trust the sub-CA of MCS Holdings’ any longer. It also applies to other software programs that use root certificate stores for Windows to validate the certificates.

Apart from Microsoft Corporation (NASDAQ:MSFT) blacklisting the sub-CA, Mozilla is seriously reviewing if CNNIC itself should be held responsible for issuing the intermediate certificate. Mozilla views that CNNIC has violated policies by issuing the intermediate certificate it claims.

Lisa Ray

Lisa Ray primarily covers Retail and Healthcare. Lisa Ray has completed her MBA (Finance) and an avid market tracker. She is a stock market analyst who closely tracks US markets along with other global markets like India. She has been expressing her views for years about markets and also advises various clients.

You may also like...

More in GOOG
Google Inc (NASDAQ:GOOG)(NASDAQ:GOOGL), Facebook Inc (NASDAQ:FB)
Facebook Inc (FB) And Google Inc (GOOG) Partner With Mobile Network Providers To Jump Into Africa

Facebook Inc (NASDAQ:FB) and Google Inc (NASDAQ:GOOG) are leading the way in the scramble for millions of Internet users in...

Close