Microsoft has followed Google’s lead in revoking a mis-used third-party digital certificate.
According to Dustin Childs, group manager of response communications at Microsoft Trustworthy Computing, it has updated the Certificate Trust List (CTL) for all supported releases of Microsoft Windows to remove the trust of the certificate. He said that this could be used to spoof content and perform phishing or man-in-the-middle attacks against web properties.
“With this action, customers will be automatically be protected against this issue. Additionally, the Enhanced Mitigation Experience Toolkit (EMET) 4.0 and newer versions help mitigate man-in-the-middle attacks by detecting untrusted or improperly issued SSL certificates through the Certificate Trust feature,” he said in an advisory.
Also, according to Computerworld, both Mozilla and Opera Software followed Microsoft and Google in revoking the rogue digital certificates that had been issued by a subordinate certificate authority (CA) of France’s cyber security agency.
Opera said that it “reacted immediately, by blacklisting the intermediate certificate, done in a regular browser update”.
Opera developer Sigbjørn Vik said: “The update demonstrates how Opera can ensure the safety of users, even when CAs misbehave, and even though we no longer operate our own root store. We still have, and will continue to maintain, the ability to override the root store of the underlying operating system, and to blacklist certificates.
“We expect that such root stores will be updated shortly as well, but we did not want to leave our users affected until such time.”
Kathleen Wilson, module owner of Mozilla’s CA certificates module, said in a statement that is was “actively revoking trust of the subordinate CA certificate that was mis-used to generate the certificate used by the network appliance” and this change will be released to all supported versions of Firefox in the updates this week.
The French security agency said in a statement that an effort to “strengthen the overall IT security of the French Ministry of Finance” led to digital certificates being signed by the certification authority (CA) of the DGTrésor (Treasury) which is attached to the agency.
