Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Blacklists Fake Finnish Certificate

Posted by timothy on from the so-that-would-be-a-veneer dept.

jones_supa writes Microsoft has issued a warning that a fraudulent SSL digital certificate has been issued in the name of a Finnish version of its Windows Live service. Although the company says it has revoked the certificate, security experts warn that older software may continue to "trust" the known bad certificate for months or even years, and that attackers could use it to trick users into running malware. "Microsoft is aware of an improperly issued SSL certificate for the domain 'live.fi' that could be used in attempts to spoof content, perform phishing attacks or perform man-in-the-middle attacks," Microsoft says in a March 16 security alert. "It cannot be used to issue other certificates, impersonate other domains or sign code. This issue affects all supported releases of Microsoft Windows. Microsoft is not currently aware of attacks related to this issue."

29 comments

  1. That man... by Anonymous Coward · · Score: 1

    The man let Microsoft know he got the cert just by asking. JUST BY ASKING! AND LET THEM KNOW ABOUT IT!

    1. Re: That man... by Anonymous Coward · · Score: 0

      I have known that a long time ago.

  2. It's been explained by Anonymous Coward · · Score: 5, Informative

    Steve Gibson (@SGgrc), of GRC.com fame, has already explained this on his latest "Security Now" podcast. It was sort of a joke/gimmick from someone trying to make a point about the insecurity of certificate authorities. The summary here is absolute flamebait, getting things WAY out of proportion. Weird. Listen to it and you'll see what I mean.

    1. Re:It's been explained by dotancohen · · Score: 1

      He made a very good point. The truth is that users have no way of knowing which of the tens of certificates included in the browser to leave and which to remove. This Super User question remains without a satisfactory answer, even as browser cert issues pile up almost monthly:
      http://superuser.com/questions...

      --
      It is dangerous to be right when the government is wrong.
    2. Re:It's been explained by Anonymous Coward · · Score: 0

      There's a brief article written in English, about the actions and motives of the Finnish person. And Microsoft response:

      http://www.tivi.fi/Kaikki_uutiset/2015-03-18/A-Finnish-man-created-this-simple-email-account---and-received-Microsofts-security-certificate-3217662.html [tivi.fi]

  3. Can you receive mail to hostmaster@somedomain.tld? by Anonymous Coward · · Score: 2, Informative

    Then you can get a certificate for that domain, even if you only have access to that mail address for a short while. That's how securely the CA hierarchy protects you. That's the level of scrutiny you can expect from CAs that your browser trusts.

  4. Never can trust a commie by Anonymous Coward · · Score: 0

    Proof of the pudding this is

  5. not Finland. the guy on the phone is from India by turkeydance · · Score: 2

    he says there is a problem with my windows.

    1. Re:not Finland. the guy on the phone is from India by rmdingler · · Score: 1, Funny

      It is positively Palinesque that he can tell from there.

      --
      Happiness in intelligent people is the rarest thing I know.

      Ernest Hemingway

  6. Fail by IamTheRealMike · · Score: 1, Insightful

    This is the second time this has happened to Microsoft. You'd think after the first time someone was able to register an administrator address @live.com they would have brainstormed all the names that might possibly be considered special, or hell, just checked which ones are being used this way, and then reserved them. How many can there possibly be? 10?

    We can argue about whether sending an email is a good way to verify ownership of a domain or not, but really, someone who could register hostmaster@live.fi could play all sorts of social engineering games quite outside of the CA system.

    1. Re:Fail by bloodhawk · · Score: 3, Insightful

      To accept a request just because the email address "looks" like it could be legitimate is worse than moronic. 10 combinations?, you could easily come up with 100's if not 1000's of subtle versions, misspellings etc. The fact all the register does is say, "well that address looks legit lets trust it" is fucking scary. People laugh at users for falling for phishing attacks and that is against people that know no better.

    2. Re:Fail by IamTheRealMike · · Score: 1

      Comodo aren't trying misspellings of "root@live.com" - do you think domain validation requests are reviewed by humans? They are not and that's why they are cheap or free. They have a fixed list of hard coded addresses they are willing to try.

      EV certs are reviewed by humans and that's why obtaining a fraudulent one is much harder, actually I never heard of it ever happening. But they cost more. It seems that live.fi redirects to live.com which has an EV cert for "Microsoft Corporation", so even if the fake cert had been used in a MITM attack, if you knew to check the address bar for the name of the company instead of just a padlock you would have been protected.

    3. Re:Fail by Anonymous Coward · · Score: 0

      RTF, it wasn't automated, he asked them to issue it.

    4. Re:Fail by Anonymous Coward · · Score: 0

      It does not matter if the EV certificates cost more. The question is why the lower security root certificates based on fully automated checks only are shipped by default in the OS.

    5. Re:Fail by Anonymous Coward · · Score: 0

      what the hell are you talking about? this is not a cert used for OS or code signing. It is a web server cert.

    6. Re:Fail by Anonymous Coward · · Score: 0

      At least with Windows, the trusted CA certificates are shipped with the OS. Several browsers and other client programs use the Windows Certificate Store to manage the CAs they trust.

  7. Just Block it In Your Hosts File by sexconker · · Score: 1

    I don't think I'll ever have any need to hit up .fi or .co.uk or .ca or .in or whateverthefuck other third world countries think they deserve to be on the internet.
    So I block them all in my hosts file.

    1. Re:Just Block it In Your Hosts File by Anonymous Coward · · Score: 2

      The Internet thanks you for removing yourself from it.

    2. Re:Just Block it In Your Hosts File by jones_supa · · Score: 1

      Interestingly kernel.org has blocked France, not for certificate reasons though, story here.

    3. Re:Just Block it In Your Hosts File by nmpg · · Score: 1

      dude, but so far, to my knowledge, there's still no similar attacks with the new cool TLDs like .website, .place, etc. I think things will get more interesting in some time..

  8. A Problem and Its Solutions by DERoss · · Score: 1

    It took quite a bit of searching before I could identify the specific root certificate involved. It turns out that root was already marked as "untrusted", which means I would not have been affected by this problem.

    Also, the subscriber certificate involved is apparently marked as revoked in OCSP (Online Certificate Status Protocol) messages. Those who set their browsers to always confirm the validity of subscriber certificates via an OCSP server and who also set their browsers to assume a subscriber certificate is invalid if an OCSP response cannot be obtained are well protected from this problem.

    Of course, for this solutions to be implemented, users must have browsers that allow root certificates to be marked "untrusted", that have an option to check certificates against OCSP servers, and that have an option to assume that a certificate is invalid if an OCSP response cannot be obtained. Mozilla-based browsers -- Firefox and SeaMonkey -- have all of those capabilities.

  9. Re:Can you receive mail to hostmaster@somedomain.t by Anonymous Coward · · Score: 0

    EV SSL is a little bit better than that

  10. The real story by Anonymous Coward · · Score: 0

    The finnish media is reporting that:

      - the person found a security hole in live.fi "email security credentials" (whatever that means)
      - verified that the credentials are legit by creating a certificate for live.fi
      - reported the existance of the security hole to Microsoft

    And after sitting on the security hole for two months, Microsoft seems to consider the created certificate as a bigger threat than the security hole used to create it.

    There's nothing to indicate that created certificate has been used for malicious purposes, or that it has leaked to anyone else. As usual, the person reporting a security hole is not considered trustworthy, even though he chose to report the problem instead of selling the security hole (or certificates) to blackhats for $$$.

  11. Re:Can you receive mail to hostmaster@somedomain.t by Anonymous Coward · · Score: 1

    Your browser does not require EV certificates.

  12. Speaking of blacklists. Should sexists be blacklis by Anonymous Coward · · Score: 0

    Speaking of blacklists. Should sexists be blacklisted from opensource? Should sexist opensource developers have their projects cencored or removed?

    Recently an opensource game release story was removed due to the game developer's open sexism(0) and harrasment(1) of women in tech.

    A story posted by the editor of the popular Phoronix linux news site about a release of an Open Source videogame was later manually removed(2). The reason cited was the game developer's unacceptable views on social issues such as gender equality (3).

    The release story was titled "Xonotic-Forked ChaosEsqueAnthology Sees New Release - Phoronix" and can be accessed via the google cache(4).

    With the recent inclusion of a code of conduct(5) for those wishing to contribute to the Linux Kernel some questions now need to be asked and answered about the inclusion of code from people who are known to engage in or promote socially unacceptable attitudes or harrasments of those whom the free-software movement would prefer to attract in their place:

    * Are the social or political views of an author of free software relevant to that software's inherent quality?
    * Should the beliefs of an opensource developer weigh when when evaluating whether a piece of opensource software is worthy of any publicity or public notice?
    * Should men with unpopular or "forbidden" views be excised from the opensource movement and "not allowed" to contribute, in a manner similar to that which is done in employment?
    * Has the free/opensource software movement changed in these respects since its founding? If so is this a positive change?
    * Should there be gatekeepers to opensource that decide who may and who may not contribute. Should abusive developers be "blackballed" to maintain proper social order and controls?

    and

    * What are the consequences of not doing this

    Citations:
    (0) Past related incident: http://esr.ibiblio.org/?p=1310
    (1) http://geekfeminism.wikia.com/wiki/Debian_and_LinuxChix_harassment_by_MikeeUSA
    (2) Removed story URL: http://www.phoronix.com/scan.php?page=news_item&px=ChaosEsqueAnthology-Rel-51
    (3) http://www.phoronix.com/forums/showthread.php?115776-Xonotic-Forked-ChaosEsqueAnthology-Sees-New-Release/page2
    "Fortunately, the article has been removed now."
    "Thanks everybody for speaking up."
    (4) https://webcache.googleusercontent.com/search?q=cache:JeCIgSFrBlgJ:http://www.phoronix.com/scan.php?page%3Dnews_item%26px%3DChaosEsqueAnthology-Rel-51%2Bchaosesque&gbv=1&tbs=qdr:w&hl=en&&ct=clnk
    (5) Linux "Code of Conflict"

  13. SSL is best for encryption, not authentication by Antique+Geekmeister · · Score: 1

    Let us be clear: SSL hs been demonstrated as vulnerable to top-down attacks, to signature authorities failing to protect or being willing to abuse their signature authorities. The classic example was DigiNotar, but there have certainly been other fake certificates published. If you combine this with the number of hosted web proxies and poorly managed websites with poorly protected wildcard SSL certificates on them, it's not safe to place too much trust in SSL certificates as a form of signature authority. It's too difficult to trace the "path of trust" for a certificate to have full confidence in it, especially with such carelessness in the market place.

    So let's be aware that SSL is helpful against casual monitoring. But the certificates should not be considered sufficient for critical data: a separate verification channel, such as GPG signatures or checksum verifications presented on a different information channel, should be used for verification of the content of the most sensitive data, Even modest encryption practices such as "zip" encrypting a file and sending the key _separately_ can help protect data from casual man-in-the-middle attacks: I've found GPG to be more technologically robust with a very useful chain-of-trust model, but it's not well enough integrated for many of my non-technical clients to use well.

  14. Re:Can you receive mail to hostmaster@somedomain.t by Anonymous Coward · · Score: 1

    Or if you can listen to email traffic sent to hostmaster@somedomain.tld :(

    Hooray for default unencrypted email.

  15. For the BEST hosts file possible? by Anonymous Coward · · Score: 0

    APK Hosts File Engine 9.0++ SR-1 32/64-bit:

    http://start64.com/index.php?o...

    * :)

    (By "yours truly": & THAT is a new version, as of about a week ago - faster runtime, better filters vs. false positives (big improvement's in the latter)).

    APK

    P.S.=> Populated by 10 reputable & reliable sources in the security community, 1 of which (MalwareBytes' hpHosts) hosts it for me & RECOMMENDS it above all others like it http://hosts-file.net/?s=Downl... - enjoy... apk

  16. Yes there are... apk by Anonymous Coward · · Score: 0

    I've seen 1,000's already on .xn--p1ai (russian) & oriental character based ones (can't type them here, sorry, no keyboard for it)...

    APK