Microsoft issued a warning today that nine fraudulent digital certificates were issued by root certificate authority, Comodo Group. Although the certificates were quickly revoked, their initial release still poses a threat to browser users, including users of Internet Explorer. This is not a security flaw in Microsoft software, the company says, but it released a security update for Windows all the same.
The nine fake certificates affect the following Web sites, Microsoft says:
-
login.live.com (Windows Live)
-
mail.google.com
-
login.yahoo.com (3 certificates)
-
login.skype.com
-
addons.mozilla.org
-
"Global Trustee"
Fraudulent certificates give hackers the ability to spoof content, phish, or insert themselves in man-in-the-middle attacks, collecting information that users think is being sent over a secure link from browser to Web site. Browsers which have enabled the Online Certificate Status Protocol (OCSP) will automatically invalidate these certificates and block them from being used. IE7 and later supports this by default, as does Firefox 3 and later, Safari on Mac OS X (but it must be manually activated), Opera 8 and Chrome.