Microsoft removes trust for bogus Google digital certificates from Egypt

Microsoft is removing trust for digital certificate for several Google domains that could have been used to spoof its services and intercept traffic to them.

Microsoft is moving to protect Windows users from a bad digital certificate discovered by Google late last week that could be used to set up fake Google sites and intercept traffic to them.

Digital certificates are used to verify the authenticity of a site and are used to encrypt data between a browser and website, however an improperly issued one could be abused by an attacker.

The certificate, for several Google domains, was issued by MCS Holdings, an Egyptian intermediate certificate authority that, according to Google, was only meant to issue certificates for domains it had registered. It was able to issue that certificate due to having been granted an intermediary certificate (that can generate its own certificates) by the China Internet Network Information Center (CNNIC), a certificate authority that is trusted by most browsers and operating systems.

Google and Mozilla, the maker of the Firefox browser, responded by blocking MCS’ intermediate certificate. Users didn’t need to take action.

Microsoft on Tuesday said it’s taken similar action by removing trust for of MCS’s certificate through an update to its Certificate Trust list. The company is also working on an update for Windows Server 2003. Customers will not need to take any action, Microsoft said.

Microsoft added that the certificates could be used to spoof the domains:

* * * * *

Google security engineer Adam Langley said the Egyptian company committed a “serious breach” of the CA system, but also criticised CNNIC for neglecting its responsibility to ensure MCS was fit to hold the intermediate certificate.

The incident is reminiscent of botched certificates for Google domains issued in 2013 by the French Ministry of Finance.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Follow our new CSO Australia LinkedIn
Follow our new social and we'll keep you in the loop for exclusive events and all things security!
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags Microsoftgoogle sitesEgyptDigital CertificateAdam LangleyCSO Australiabogus Google digital certificatesChina Internet Network Information Center (CNNIC)intercept trafficFrench Ministry of FinanceCertificate Trust list

More about CustomersGoogleMicrosoftMozilla

Show Comments

Featured Whitepapers

Editor's Recommendations

Brand Page

Stories by Liam Tung

Latest Videos

More videos

Blog Posts