[SSL Observatory] Microsoft sub-CA issues incorrect certificate for "microsoft.com".

John Nagle nagle at animats.com
Mon Mar 26 13:00:03 PDT 2012 

> From: Peter Gutmann<pgut001 at cs.auckland.ac.nz>
> Subject: Re: [SSL Observatory] Microsoft sub-CA issues incorrect
> 	certificate	for "microsoft.com".
> John Nagle<nagle at animats.com>  writes:
>
>> We noticed this because our SSL certificate checking system couldn't identify
>> "MSCOM" as a valid real-world business in Redmond, Washington.
>
> Do you have any more information on how you're doing the checking, and what it
> is you check?  The SiteTruth site is a bit sparse on technical details, and
> it sounds like interesting stuff.
> Peter.

    Go to "Webmasters" on the SiteTruth site, and you'll see detailed
information on what we're checking.  "http://www.sitetruth.com/doc".

    SiteTruth's job is to determine the identity of the business
behind each commercial web site, and provide users with information
about that business.  We pull information from SSL certificates,
mailing addresses on web sites, and Better Business Bureau seals
on web sites themselves to get a name and address.  We then match
commercial business databases, SEC filings, and Dun and Bradstreet
lookups against the name and address data.  The user is provided
with the actual business name and address, the annual revenue of
the company, and links to more financial data where available.
Our slogan is "Know who you're dealing with".

     Check out our information about the EFF:

	http://www.sitetruth.com/rating/eff.org

     This is the beta system.  We have good coverage for the US and
UK, and limited coverage for AU, CA, and NZ.  We're not doing a
full web crawl.  We have some browser add-ons which ask our servers
for company data, and do an examination of previously-unexamined
web sites as necessary.

     Our goal is to have SiteTruth technology incorporated into a major
search engine, so that business legitimacy affects search ranking.
Meanwhile, we're offering a growing range of free user-oriented
services.

     The bogus Microsoft.com certificate caused us an unusual
problem because we trust SSL certs over other data sources.
If the site had no cert at all, we would have matched it to
Microsoft Corporation based on other data sources.  But when
the cert said the company name was "MSCOM", that higher-ranked
data source overrode the others as to company name, and forced
a no-match.

                 		John Nagle
                 		SiteTruth

More information about the Observatory mailing list