Microsoft removes trust for bogus Google digital certificates from Egypt

  • Liam Tung (CSO Online)
  • 25 March, 2015 09:40

Microsoft is removing trust for digital certificate for several Google domains that could have been used to spoof its services and intercept traffic to them.

Microsoft is moving to protect Windows users from a bad digital certificate discovered by Google late last week that could be used to set up fake Google sites and intercept traffic to them.

Digital certificates are used to verify the authenticity of a site and are used to encrypt data between a browser and website, however an improperly issued one could be abused by an attacker.

The certificate, for several Google domains, was issued by MCS Holdings, an Egyptian intermediate certificate authority that, according to Google, was only meant to issue certificates for domains it had registered. It was able to issue that certificate due to having been granted an intermediary certificate (that can generate its own certificates) by the China Internet Network Information Center (CNNIC), a certificate authority that is trusted by most browsers and operating systems.

Google and Mozilla, the maker of the Firefox browser, responded by blocking MCS’ intermediate certificate. Users didn’t need to take action.

Microsoft on Tuesday said it’s taken similar action by removing trust for of MCS’s certificate through an update to its Certificate Trust list. The company is also working on an update for Windows Server 2003. Customers will not need to take any action, Microsoft said.

Microsoft added that the certificates could be used to spoof the domains:

* * * * *

Google security engineer Adam Langley said the Egyptian company committed a “serious breach” of the CA system, but also criticised CNNIC for neglecting its responsibility to ensure MCS was fit to hold the intermediate certificate.

The incident is reminiscent of botched certificates for Google domains issued in 2013 by the French Ministry of Finance.