Microsoft Blacklists Fake Finnish Certificate

jones_supa writes Microsoft has issued a warning that a fraudulent SSL digital certificate has been issued in the name of a Finnish version of its Windows Live service. Although the company says it has revoked the certificate, security experts warn that older software may continue to "trust" the known bad certificate for months or even years, and that attackers could use it to trick users into running malware. "Microsoft is aware of an improperly issued SSL certificate for the domain 'live.fi' that could be used in attempts to spoof content, perform phishing attacks or perform man-in-the-middle attacks," Microsoft says in a March 16 security alert. "It cannot be used to issue other certificates, impersonate other domains or sign code. This issue affects all supported releases of Microsoft Windows. Microsoft is not currently aware of attacks related to this issue."

It's been explained

Steve Gibson (@SGgrc), of GRC.com fame, has already explained this on his latest "Security Now" podcast. It was sort of a joke/gimmick from someone trying to make a point about the insecurity of certificate authorities. The summary here is absolute flamebait, getting things WAY out of proportion. Weird. Listen to it and you'll see what I mean.

Can you receive mail to hostmaster@somedomain.tld?

Then you can get a certificate for that domain, even if you only have access to that mail address for a short while. That's how securely the CA hierarchy protects you. That's the level of scrutiny you can expect from CAs that your browser trusts.