Want to keep the TNW Conference vibe going?? Tickets for TNW2022 are available now >>

The heart of tech

This article was published on March 23, 2011

Microsoft reveals fake SSL certificates loose for top sites

Microsoft reveals fake SSL certificates loose for top sites
Alex Wilhelm
Story by

Alex Wilhelm

Alex Wilhelm is a San Francisco-based writer. You can find Alex on Twitter, and on Facebook. You can reach Alex via email at [email protected] Alex Wilhelm is a San Francisco-based writer. You can find Alex on Twitter, and on Facebook. You can reach Alex via email at [email protected]

On Wednesday Microsoft warned of 9 false SSL certificates that were issued by a certification authority that would affect all versions of Windows which support the ‘Trusted Root Certification Authorities Store.’

The certificates were originally released by Comodo, a company that ironically specializes in Internet security. According to Microsoft the “nine certificates had been signed on behalf of a third-party without sufficiently validating its identity.”

In short, a Comodo affiliate called ‘RA’ was compromised and then used to issue the 9 certificates, which effect 7 domains. A Comodo post on the topic calls the situation “politically motivated” and “state funded,” with a firm finger pointed at Iran. Comodo is in effect accusing a nation-state of attacking their affiliate to create fake SSL certificates.

These 9 certificates affect several websites, including all of the following:

  • login.live.com
  • mail.google.com
  • www.google.com
  • login.yahoo.com
  • login.skype.com
  • addons.mozilla.org

Three of the rogue certificates affect the login.yahoo.com URL. Comodo has revoked the certificates and has placed them on a list that will allow certain browsers to automatically protect themselves.

According to Microsoft the certificates could be used to “spoof content, perform phishing attacks, or perform man-in-the-middle attacks against all Web browser users including users of Internet Explorer.”

All Windows users who have updates automatically delivered to their computers will be sorted with no intervention required on their part.

If you are worried, you can download an update from Microsoft directly that will protect you.