Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Microsoft move to revoke trust in 20 root certificates could wreak havoc on sites

Lucian Constantin | Dec. 21, 2015
Thousands of websites will generate errors in browsers if their owners don't replace certificates in less than a month

It's because of a change to a contract that hasn't been taken into account, but should be fixed Monday or early next week, Dubois said.

Yannick Leplard, director of research and development at Dhimyotis, explained that the company was supposed to sign a new contract with Microsoft in June committing to respect a number of good practices that the CA already follows.

"We’ve checked and it seems that we only received the draft of the contract, and so Microsoft hasn’t had the real contract from us," he said. "We had a contract marked 'For review only,' so we signed the draft."

A root certificate belonging to DanID, a CA operated by the Danish company Nets, is also listed for removal. Nets runs NemID, an hardware-authentication system widely used in Denmark for online banking, government websites and services operated by private companies.

Nets did not immediately respond to a request for comment. Neither did Serasa Experian, the leading credit bureau in Brazil, or the American financial services company Wells Fargo, both of which have multiple root certificates flagged for removal.

Post.Trust, an Irish CA that Microsoft plans to untrust, already has a notice on its website, informing customers that it has ceased to issue SSL certificates. This might be one of the CAs that voluntarily withdrew from the program.

In its notice, the company says that "SSL certificates issued by Post.Trust will remain valid until expiry." While technically this is true, once Microsoft removes the root certificate, users will begin to see errors when they try to access websites that use Post.Trust-issued certificates. The same is true for certificates that chain back to any of the trusted CAs.

"If you use one of these certificates to secure connections to your server over https, when a customer attempts to navigate to your site, that customer will see a message that there is a problem with the security certificate," Kornblum said. "If you use one of these certificates to sign software, when a customer attempts to install that software on a Windows operating system, Windows will display a warning that the publisher may not be trusted. In either case, the customer may choose to continue."

Even though users have the option to bypass the security warnings and add to exceptions in their browsers, it's likely that many of them won't. Microsoft recommends that owners of certificates linked to the soon-to-be-removed roots obtain replacements for them from other providers. However, they might want to contact their current CAs first and ask if they have any plans to fix this problem.

In an emailed statement, a Microsoft representative clarified that this action is not related to the industry effort of phasing out SHA-1-signed certificates, even though all root certificates flagged for removal have SHA-1 signatures.

 

Previous Page  1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.