Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Microsoft move to revoke trust in 20 root certificates could wreak havoc on sites

Lucian Constantin | Dec. 21, 2015
Thousands of websites will generate errors in browsers if their owners don't replace certificates in less than a month

Microsoft will remove 20 root certificates from the Windows trust store
Digital key Credit: IDGNS

Tens of thousands of secure websites might start to display certificate errors to their visitors in January, when Microsoft plans to stop trusting 20 certificate authorities (CAs) from around the world.

The list of certificates that are scheduled to be removed from Microsoft's Trusted Root Certificate Program belong to CAs run by private or state-owned organizations from the U.S., France, the Czech Republic, Japan, Denmark, Chile, Turkey, Luxembourg, Ireland, Slovenia and Brazil.

With their removal from Microsoft's program, the CAs will also be removed from the certificate trust list in Windows that's used by browsers such as Google Chrome, Internet Explorer and Microsoft Edge, as well as by email clients and other applications that support secure communications over SSL/TLS.

When such applications encounter a certificate on a website or other type of server, they verify its authenticity by checking whether it has been signed by a CA listed in the Windows certificate store, or by an intermediary issuer that's itself signed by such a CA.

Therefore, the removal of a CA's certificate from the Microsoft Trusted Root Certificate Program will essentially render all certificates that chain back to it as untrusted. This doesn't apply just to SSL/TLS certificates, but also to code-signing certificates that are used to validate that software programs have been released by legitimate developers and haven't been modified.

Microsoft will remove the 20 CAs because they either voluntarily chose to leave the root program, or because they failed to comply with more stringent technical and auditing requirements that were published in June, said Aaron Kornblum, program manager for governance, risk management and compliance in Microsoft's Enterprise & Security Group, in a blog post Thursday.

It's not clear how many of the 20 organizations decided to retire their CAs willingly, but some of them were not aware that their certificates have been flagged for removal until last Thursday.

"We don't have any information from Microsoft about removing our CA from the MTRCP program," said Miroslav Trávníček, project manager at PostSignum, a CA operated by the state-owned Czech Post. "We have an audit valid until December 2016, which was confirmed by Microsoft," he said via email.

PostSignum provides digital certificates for websites, email encryption and electronic signatures needed to communicate with public institutions. It is on Microsoft's list of CAs that are scheduled to be removed.

Certigna, a CA based in France with over 7,000 customers, learned about the removal plans last Thursday when Microsoft published its announcement, according to Arnaud Dubois, the CEO of Dhimyotis, the CA's parent company.

 

1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.