Microsoft Blacklists Fake Finnish Certificate

jones_supa writes Microsoft has issued a warning that a fraudulent SSL digital certificate has been issued in the name of a Finnish version of its Windows Live service. Although the company says it has revoked the certificate, security experts warn that older software may continue to "trust" the known bad certificate for months or even years, and that attackers could use it to trick users into running malware. "Microsoft is aware of an improperly issued SSL certificate for the domain 'live.fi' that could be used in attempts to spoof content, perform phishing attacks or perform man-in-the-middle attacks," Microsoft says in a March 16 security alert. "It cannot be used to issue other certificates, impersonate other domains or sign code. This issue affects all supported releases of Microsoft Windows. Microsoft is not currently aware of attacks related to this issue."

That man...

[Anonymous Coward]

The man let Microsoft know he got the cert just by asking. JUST BY ASKING! AND LET THEM KNOW ABOUT IT!

It's been explained

[Anonymous Coward]

Steve Gibson (@SGgrc), of GRC.com fame, has already explained this on his latest "Security Now" podcast. It was sort of a joke/gimmick from someone trying to make a point about the insecurity of certificate authorities. The summary here is absolute flamebait, getting things WAY out of proportion. Weird. Listen to it and you'll see what I mean.

Re:

[dotancohen]

He made a very good point. The truth is that users have no way of knowing which of the tens of certificates included in the browser to leave and which to remove. This Super User question remains without a satisfactory answer, even as browser cert issues pile up almost monthly:
http://superuser.com/questions... [superuser.com]

Can you receive mail to hostmaster@somedomain.tld?

[Anonymous Coward]

Then you can get a certificate for that domain, even if you only have access to that mail address for a short while. That's how securely the CA hierarchy protects you. That's the level of scrutiny you can expect from CAs that your browser trusts.

Re:

[Anonymous Coward]

Your browser does not require EV certificates.

Re:

[Anonymous Coward]

Or if you can listen to email traffic sent to hostmaster@somedomain.tld :(

Hooray for default unencrypted email.

not Finland. the guy on the phone is from India

[turkeydance]

he says there is a problem with my windows.

Re:

[rmdingler]

It is positively Palinesque that he can tell from there.

Fail

[IamTheRealMike]

This is the second time this has happened to Microsoft. You'd think after the first time someone was able to register an administrator address @live.com they would have brainstormed all the names that might possibly be considered special, or hell, just checked which ones are being used this way, and then reserved them. How many can there possibly be? 10?

We can argue about whether sending an email is a good way to verify ownership of a domain or not, but really, someone who could register hostmaster@live.fi

Re:Fail

[bloodhawk]

To accept a request just because the email address "looks" like it could be legitimate is worse than moronic. 10 combinations?, you could easily come up with 100's if not 1000's of subtle versions, misspellings etc. The fact all the register does is say, "well that address looks legit lets trust it" is fucking scary. People laugh at users for falling for phishing attacks and that is against people that know no better.

Re:

[IamTheRealMike]

Comodo aren't trying misspellings of "root@live.com" - do you think domain validation requests are reviewed by humans? They are not and that's why they are cheap or free. They have a fixed list of hard coded addresses they are willing to try.

EV certs are reviewed by humans and that's why obtaining a fraudulent one is much harder, actually I never heard of it ever happening. But they cost more. It seems that live.fi redirects to live.com which has an EV cert for "Microsoft Corporation", so even if the fake c

Just Block it In Your Hosts File

[sexconker]

I don't think I'll ever have any need to hit up .fi or .co.uk or .ca or .in or whateverthefuck other third world countries think they deserve to be on the internet.
So I block them all in my hosts file.

Re:

[Anonymous Coward]

The Internet thanks you for removing yourself from it.

Re:

[jones_supa]

Interestingly kernel.org has blocked France, not for certificate reasons though, story here [reddit.com].

Re:

[nmpg]

dude, but so far, to my knowledge, there's still no similar attacks with the new cool TLDs like .website, .place, etc. I think things will get more interesting in some time..

A Problem and Its Solutions

[DERoss]

It took quite a bit of searching before I could identify the specific root certificate involved. It turns out that root was already marked as "untrusted", which means I would not have been affected by this problem.

Also, the subscriber certificate involved is apparently marked as revoked in OCSP (Online Certificate Status Protocol) messages. Those who set their browsers to always confirm the validity of subscriber certificates via an OCSP server and who also set their browsers to assume a subscriber certif

SSL is best for encryption, not authentication

[Antique Geekmeister]

Let us be clear: SSL hs been demonstrated as vulnerable to top-down attacks, to signature authorities failing to protect or being willing to abuse their signature authorities. The classic example was DigiNotar, but there have certainly been other fake certificates published. If you combine this with the number of hosted web proxies and poorly managed websites with poorly protected wildcard SSL certificates on them, it's not safe to place too much trust in SSL certificates as a form of signature authority. I