Microsoft Blacklists Fake Finnish Certificate

jones_supa writes Microsoft has issued a warning that a fraudulent SSL digital certificate has been issued in the name of a Finnish version of its Windows Live service. Although the company says it has revoked the certificate, security experts warn that older software may continue to "trust" the known bad certificate for months or even years, and that attackers could use it to trick users into running malware. "Microsoft is aware of an improperly issued SSL certificate for the domain 'live.fi' that could be used in attempts to spoof content, perform phishing attacks or perform man-in-the-middle attacks," Microsoft says in a March 16 security alert. "It cannot be used to issue other certificates, impersonate other domains or sign code. This issue affects all supported releases of Microsoft Windows. Microsoft is not currently aware of attacks related to this issue."

Fail

[IamTheRealMike]

This is the second time this has happened to Microsoft. You'd think after the first time someone was able to register an administrator address @live.com they would have brainstormed all the names that might possibly be considered special, or hell, just checked which ones are being used this way, and then reserved them. How many can there possibly be? 10?

We can argue about whether sending an email is a good way to verify ownership of a domain or not, but really, someone who could register hostmaster@live.fi could play all sorts of social engineering games quite outside of the CA system.

Re:Fail

[bloodhawk]

To accept a request just because the email address "looks" like it could be legitimate is worse than moronic. 10 combinations?, you could easily come up with 100's if not 1000's of subtle versions, misspellings etc. The fact all the register does is say, "well that address looks legit lets trust it" is fucking scary. People laugh at users for falling for phishing attacks and that is against people that know no better.