In January, an unnamed man came into possession of the live.fi certificate after noticing that he was able to use firstname.lastname@example.org as an alias for his normal e-mail address.
The news was spread by Tivi.fi, the man discovered in this way that it was a highly privileged address that allowed him to automatically receive sensitive certificates from browser-trusted certificate authority Comodo.
Despite the man made the worrying discovery in January, only now it seems that Microsoft has discovered and blacklisted the bogus SSL digital certificate that could be exploited to run man-in-the-middle attacks, the fraudulent certificate was issued for one of the company’s Windows Live Web addresses.
“Microsoft is aware of an improperly issued SSL certificate for the domain “live.fi” that could be used in attempts to spoof content, perform phishing attacks, or perform man-in-the-middle attacks. It cannot be used to issue other certificates, impersonate other domains, or sign code. This issue affects all supported releases of Microsoft Windows. Microsoft is not currently aware of attacks related to this issue.” states the security advisory published by Microsoft.
Microsoft confirmed that the bogus certificate for the domain “live.fi” could also by threat actors to spoof content or carry out phishing attacks, so the certificate authority Comodo that issued the digital certificate has revoked it promptly. In response, Microsoft is updating its Certificate Trust List (CTL) for all supported releases of Microsoft Windows to avoid the exploitation of the digital certificate.
In the next days, also Google Chrome and Mozilla Firefox will block the bogus digital certificate to protect their users.
An unauthorized entity was able to register an email account on the domain with a “privileged username,” and use it to request a bogus certificate for live.fi. For the majority of Windows systems that are using the automatic updater of revoked certificates, customers do not need to take any action.
Microsoft warns that users who don’t run an automatic updater have to run the manual update KB2917500 to blacklist the certificate.
Comodo assured its customers by claiming that all of its certificates must pass through Domain Control Validation (DCV) before they’re issued, but it seems that third party used an email (i.e. administrator@, admin@, etc.) to prove ownership of the domain and subsequently the certificate.
Microsoft reported that the bogus SSL certificate was issued due to a misconfigured privileged email account on the live.fi domain.
A disconcerting fact of this history is that the Finnish man who obtained the digital certificate said he warned both Microsoft and Finland authorities, but he hasn’t received any response.
Unfortunately, this incident confirms concerns of security experts about a proper management of digital certificate life-cycle.
The security researcher Moxie Marlinspike demonstrated in 2009 how to easily defeat the revocation lists used by common browsers to check the validity of TLS certificates.
“That’s because the “online certificate status protocol” and an earlier database known as certificate revocation lists trigger what’s known as a “soft fail” rather than a more secure but also harder-to-tolerate “hard fail.” As a result, when an Internet outage makes a revocation list unavailable, most browsers will treat an unvalidated certificate as trusted. Attackers using a CA-issued counterfeit certificate to mount a man-in-the-middle attack can capitalize on this flaw by suppressing revocation response before it reaches a targeted end user. That means the only sure way to block an improperly issued certificate is for each browser maker to hard-code the revocation into an update. Windows 8 and 8.1 come with an automatic updater of revoked certificates.” reported a post published by ArsTechnica on the issue.
If you are interested to know more about possible abuses of digital certificates read the post “How Cybercrime Exploits Digital Certificates.”
(Security Affairs – digital certificate, SSL)