This article was published on March 23, 2011

Microsoft reveals fake SSL certificates loose for top sites


Microsoft reveals fake SSL certificates loose for top sites

On Wednesday Microsoft warned of 9 false SSL certificates that were issued by a certification authority that would affect all versions of Windows which support the ‘Trusted Root Certification Authorities Store.’

The certificates were originally released by Comodo, a company that ironically specializes in Internet security. According to Microsoft the “nine certificates had been signed on behalf of a third-party without sufficiently validating its identity.”

In short, a Comodo affiliate called ‘RA’ was compromised and then used to issue the 9 certificates, which effect 7 domains. A Comodo post on the topic calls the situation “politically motivated” and “state funded,” with a firm finger pointed at Iran. Comodo is in effect accusing a nation-state of attacking their affiliate to create fake SSL certificates.

These 9 certificates affect several websites, including all of the following:

  • login.live.com
  • mail.google.com
  • www.google.com
  • login.yahoo.com
  • login.skype.com
  • addons.mozilla.org

Three of the rogue certificates affect the login.yahoo.com URL. Comodo has revoked the certificates and has placed them on a list that will allow certain browsers to automatically protect themselves.

According to Microsoft the certificates could be used to “spoof content, perform phishing attacks, or perform man-in-the-middle attacks against all Web browser users including users of Internet Explorer.”

All Windows users who have updates automatically delivered to their computers will be sorted with no intervention required on their part.

If you are worried, you can download an update from Microsoft directly that will protect you.

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with