Thursday 19 March 2015

Finn Gets Microsoft SSL Certificate By Sending Email


The reason that Microsoft this week an SSL certificate for Windows Live invalidated came as a Finnish system had requested via email and received. It was revoked certificate for the domain Live.fi issued and made ​​it possible to carry out phishing and man-in-the-middle attacks. Opposite the Finnish Tivi let the guy know now how he got hold of the certificate.

When Microsoft domain Live.fi launched it was possible to register several aliases that are normally used for administrative matters. The Finnish system decided in his own words "a joke" the alias hostmaster@live.fi to create its own email address, which to his surprise, also failed. Through this alias he could then try to apply for the certificate for the domain. SSL certificates are issued by Certificate Authorities. In the case of the wrongly issued certificate for Live.fi was issued by the Certificate Authority Comodo.

Before an SSL certificate for a domain can be registered, the requesting party must prove that he or she is the owner of the domain. For this show Comodo send a confirmation email to an email address like admin @, admin @, postmaster @, hostmaster @ or webmaster @ domain for which the certificate is requested.

The Finnish system decided by the alias hostmaster@live.fi the certificate for the domain Live.fi to ask and indeed received the confirmation email in his inbox. The man, the Finnish telecoms watchdog warned the problem below, but got no help. Then he warned Microsoft, but even there it remained silent until Microsoft this week decided to withdraw the wrongly issued certificate.

No comments:

Post a Comment