11 Dec 2013

Microsoft Revokes SSL Certificate after Mistaken Issuance

A French government agency issued an unauthorized digital secure sockets layer (SSL) certificate for several Google domains, raising concerns of spoofing, spying and other illegal activity.

“We investigated immediately and found the certificate was issued by an intermediate certificate authority (CA) linking back to ANSSI, a French certificate authority,” Google announced on its blog. The company updated its browser’s certificate revocation metadata to block the SSL certificate and notified the authorities involved and other browser vendors.

ANSSI (Agence nationale de la sécurité des systèmes d'information) blamed the issuance on a human error that occurred “during a process aimed at strengthening the overall IT security of the French Ministry of Finance.”

Further investigation showed the CA certificate was used on a private network to spy on encrypted traffic data without the users’ knowledge.

Microsoft warned that “these SSL certificates could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against several Google web properties.”

An automatic OS update will be issued to remove trust for the certificate in all Windows versions, except for Windows XP and Windows Server 2003.

Google classified this incident “as a serious breach” and recommended more transparency in verifying SSL certificates.