Menu
Microsoft move to revoke trust in 20 root certificates could wreak havoc on sites

Microsoft move to revoke trust in 20 root certificates could wreak havoc on sites

Thousands of websites will generate errors in browsers if their owners don't replace certificates in less than a month

Tens of thousands of secure websites might start to display certificate errors to their visitors in January, when Microsoft plans to stop trusting 20 certificate authorities (CAs) from around the world.

The list of certificates that are scheduled to be removed from Microsoft's Trusted Root Certificate Program belong to CAs run by private or state-owned organizations from the U.S., France, the Czech Republic, Japan, Denmark, Chile, Turkey, Luxembourg, Ireland, Slovenia and Brazil.

With their removal from Microsoft's program, the CAs will also be removed from the certificate trust list in Windows that's used by browsers such as Google Chrome, Internet Explorer and Microsoft Edge, as well as by email clients and other applications that support secure communications over SSL/TLS.

When such applications encounter a certificate on a website or other type of server, they verify its authenticity by checking whether it has been signed by a CA listed in the Windows certificate store, or by an intermediary issuer that's itself signed by such a CA.

Therefore, the removal of a CA's certificate from the Microsoft Trusted Root Certificate Program will essentially render all certificates that chain back to it as untrusted. This doesn't apply just to SSL/TLS certificates, but also to code-signing certificates that are used to validate that software programs have been released by legitimate developers and haven't been modified.

Microsoft will remove the 20 CAs because they either voluntarily chose to leave the root program, or because they failed to comply with more stringent technical and auditing requirements that were published in June, said Aaron Kornblum, program manager for governance, risk management and compliance in Microsoft's Enterprise & Security Group, in a blog post Thursday.

It's not clear how many of the 20 organizations decided to retire their CAs willingly, but some of them were not aware that their certificates have been flagged for removal until yesterday.

"We don't have any information from Microsoft about removing our CA from the MTRCP program," said Miroslav Trávníček, project manager at PostSignum, a CA operated by the state-owned Czech Post. "We have an audit valid until December 2016, which was confirmed by Microsoft," he said via email.

PostSignum provides digital certificates for websites, email encryption and electronic signatures needed to communicate with public institutions. It is on Microsoft's list of CAs that are scheduled to be removed.

Certigna, a CA based in France with over 7,000 customers, learned about the removal plans yesterday when Microsoft published its announcement, according to Arnaud Dubois, the CEO of Dhimyotis, the CA's parent company.

It's because of a change to a contract that hasn't been taken into account, but should be fixed Monday or early next week, Dubois said.

Yannick Leplard, director of research and development at Dhimyotis, explained that the company was supposed to sign a new contract with Microsoft in June committing to respect a number of good practices that the CA already follows.

"We’ve checked and it seems that we only received the draft of the contract, and so Microsoft hasn’t had the real contract from us," he said. "We had a contract marked 'For review only,' so we signed the draft."

A root certificate belonging to DanID, a CA operated by the Danish company Nets, is also listed for removal. Nets runs NemID, an hardware-authentication system widely used in Denmark for online banking, government websites and services operated by private companies.

Nets did not immediately respond to a request for comment. Neither did Serasa Experian, the leading credit bureau in Brazil, or the American financial services company Wells Fargo, both of which have multiple root certificates flagged for removal.

Post.Trust, an Irish CA that Microsoft plans to untrust, already has a notice on its website, informing customers that it has ceased to issue SSL certificates. This might be one of the CAs that voluntarily withdrew from the program.

In its notice, the company says that "SSL certificates issued by Post.Trust will remain valid until expiry." While technically this is true, once Microsoft removes the root certificate, users will begin to see errors when they try to access websites that use Post.Trust-issued certificates. The same is true for certificates that chain back to any of the trusted CAs.

"If you use one of these certificates to secure connections to your server over https, when a customer attempts to navigate to your site, that customer will see a message that there is a problem with the security certificate," Kornblum said. "If you use one of these certificates to sign software, when a customer attempts to install that software on a Windows operating system, Windows will display a warning that the publisher may not be trusted. In either case, the customer may choose to continue."

Even though users have the option to bypass the security warnings and add to exceptions in their browsers, it's likely that many of them won't. Microsoft recommends that owners of certificates linked to the soon-to-be-removed roots obtain replacements for them from other providers. However, they might want to contact their current CAs first and ask if they have any plans to fix this problem.

In an emailed statement, a Microsoft representative clarified that this action is not related to the industry effort of phasing out SHA-1-signed certificates, even though all root certificates flagged for removal have SHA-1 signatures.

The root CAs in question are being removed because they were not able to comply with the audit requirements that Microsoft uses to ensure that their operations are secure and up to industry standards. The company started talking with the  organizations that operate the CAs about the program changes several months ago, to give them ample time to comply, the representative said.

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Featured

Slideshows

Reseller News launches inaugural Hall of Fame lunch

Reseller News launches inaugural Hall of Fame lunch

Reseller News welcomed 2015 and 2016 inductees - Darryl Swann, Dave Rosenberg, Gary Bigwood, Keith Watson, Mike Hill and Scott Green - to the inaugural Reseller News Hall of Fame lunch, held at the French Cafe in Auckland. The inductees discussed how the channel can collectively work together to benefit New Zealand, the Kiwi skills shortage and the future of the industry. Photos by Maria Stefina.

Reseller News launches inaugural Hall of Fame lunch
Educating from the epicentre - Why distributors are the pulse checkers of the channel

Educating from the epicentre - Why distributors are the pulse checkers of the channel

​As the channel changes and industry voices deepen, the need for clarity and insight heightens. Market misconceptions talk of an “under pressure” distribution space, with competitors in that fateful “race for relevance” across New Zealand. Amidst the cliched assumptions however, distribution is once again showing its strength, as a force to be listened to, rather than questioned. Traditionally, the role was born out of a need for vendors and resellers to find one another, acting as a bridge between the testing lab and the marketplace. Yet despite new technologies and business approaches shaking the channel to its very core, distributors remain tied to the epicentre - providing the voice of reason amidst a seismic industry shift. In looking across both sides of the vendor and partner fences, the middle concept of the three-tier chain remains centrally placed to understand the metrics of two differing worlds, as the continual pulse checkers of the local channel. This exclusive Reseller News Roundtable, in association with Dicker Data and rhipe, examined the pivotal role of distribution in understanding the health of the channel, educating from the epicentre as the market transforms at a rapid rate.

Educating from the epicentre - Why distributors are the pulse checkers of the channel
Kiwi channel reunites as After Hours kicks off 2017

Kiwi channel reunites as After Hours kicks off 2017

After Hours made a welcome return to the channel social calendar last night, with a bumper crowd of distributors, vendors and resellers descending on The Jefferson in Auckland to kickstart 2017. Photos by Maria Stefina.

Kiwi channel reunites as After Hours kicks off 2017
Show Comments