[SSL Observatory] Microsoft sub-CA issues incorrect certificate for "microsoft.com".
Andrew Birrell
birrell at microsoft.com
Sun Mar 25 22:34:25 PDT 2012
I forwarded this to the people who run the sub-sub-CA. I believe they're now working on fixing it.
Andrew
________________________________________
From: observatory-bounces at eff.org [observatory-bounces at eff.org] on behalf of John Nagle [nagle at animats.com]
Sent: Saturday, March 24, 2012 12:48 PM
To: observatory at eff.org
Subject: [SSL Observatory] Microsoft sub-CA issues incorrect certificate for "microsoft.com".
Take a look at the certificate presented by "https://www.microsoft.com".
This was issued in January 2012.
The CA hierarchy is
GTE CyberTrust Global Root
Microsoft Internet Authority
Microsoft Secure Server Authority
So MIcrosoft's sub-sub-CA issued this cert.
Looking at the cert contents:
Subject:
CN (Common Name) = www.microsoft.com
OU (Organizational Unit) = MS
O (Organization) = MSCOM
L (Location) = Redmond
ST (State) = WA
C (Country) = US
The "organization" value of "MSCOM" is wrong. It should be "Microsoft
Corporation".
According to "Baseline Requirements for SSL/TLS Certificates"
(http://www.cabforum.org/Baseline_Requirements_V1.pdf"), from the
CA/Browser Forum (of which Microsoft is a member) "If the
organizationName field is present, the field MUST contain the Subject’s
name or DBA". Putting random strings into the Organization field is not
allowed. It can be omitted, but if present, must be the real
organization. So this is an improperly issued SSL certificate. It should
be replaced and the old one revoked.
We noticed this because our SSL certificate checking system couldn't
identify "MSCOM" as a valid real-world business in Redmond, Washington.
Until January, that certificate said "Microsoft Corporation", matching
Microsoft's legal business identity, SEC filings, and other indicators
of legitimacy. Our
site would bring up Microsoft's SEC filings, revenue, and an aerial
photo of Microsoft HQ. Now we report "microsoft.com" as owned by an
unidentified company.
If we saw this on a less significant site, we'd assume the site had been
hacked.
What else does the Observatory have from Microsoft's sub-CAs?
John Nagle
SiteTruth
650-306-9190
More information about the Observatory
mailing list