All the latest UK technology news, reviews and analysis


Microsoft warns of bogus Google and Yahoo SSL certificates

11 Jul 2014
Microsoft warns of bogus Google and Yahoo SSL certificates

Microsoft has warned web users to be extra vigilant following the discovery of a series of bogus SSL certificates that could theoretically be leveraged by hackers to mount cyber attacks.

Microsoft issued the warning in an advisory on its TechNet security service, alerting IT managers the certificates could be used by hackers to perform phishing and man-in-the-middle attacks.

"The SSL certificates were improperly issued by the National Informatics Centre (NIC), which operates subordinate CAs under root CAs operated by the Government of India Controller of Certifying Authorities (CCA), which are CAs present in the Trusted Root Certification Authorities Store," read the advisory.

"The subordinate CA has been misused to issue SSL certificates for multiple sites, including Google web properties. These SSL certificates could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against web properties."

The issue affects all supported releases of Windows, though Microsoft is yet to see any clear evidence suggesting hackers are actively using the certificates. Microsoft said it is updating Windows Certificate Trust list (CTL) to remove the bogus certificates and prevent future exploitation by hackers.

Tripwire security researcher Craig Young recommended IT managers take a variety of protective steps while Microsoft works on the update.

"One of the best ways to protect users from this type of threat is through the use of pinned certificates. This is a deployment in which software is designed to require specific certificates, instead of allowing any certificate signed by a 'trusted' authority," he said.

"This practice is used in the Gmail app for Android, for example. Unfortunately this approach does not scale for general web browsing. To protect themselves from these kinds of incidents users may want to remove trust for regional certificate authorities that aren't needed in the user's locale."

The advisory comes mere days after Microsoft released its monthly Patch Tuesday security update. The update included a critical fix for Microsoft's popular Internet Explorer web browser.

  • Comment  
  • Tweet  
  • Google plus  
  • Facebook  
  • LinkedIn  
  • Stumble Upon  
Alastair Stevenson
About

Alastair has worked as a reporter covering security and mobile issues at V3 since March 2012. Before entering the field of journalism Alastair had worked in numerous industries as both a freelance copy writer and artist.

View Alastair's Google+ profile

More on Security
What do you think?
blog comments powered by Disqus
Poll

Windows 10 poll

What are your first impressions of Windows 10?
13%
4%
10%
3%
21%
4%
45%

Popular Threads

Powered by Disqus
V3 Sungard roundtable event - Cloud computing security reliability and scalability discussion

CIOs debate how to overhaul businesses for the digital era

V3 hosts roundtable with Sungard Availability Services

Updating your subscription status Loading
Newsletters

Get the latest news (daily or weekly) direct to your inbox with V3 newsletters.

newsletter sign-up button
hpv3may

Getting started with virtualisation

Virtualisation can help you reduce costs, improve application availability, and simplify IT
management. However, getting started can be challenging

ibmv3may

Converting big data and analytics insights into results

Successful leaders are infusing analytics throughout their organisations to drive smarter decisions, enable faster actions and optimise outcomes

Database Developer/DBA – Leading Charity

We’re looking for a committed individual with: demonstrable...

Management Information Systems (MIS) Officer

We are seeking a self-motivated individual with database...

Head of Software Development / Real-Time Data

An exciting management opportunity has arisen to join...

Software Engineer

SeeByte, global market leader in in the development of...
To send to more than one email address, simply separate each address with a comma.