A Finnish man who obtained an improperly issued HTTPS certificate for a Windows Live address said he warned both Microsoft and Finland authorities of the hole that made the security lapse possible but got no response, according to a published news article.
The unnamed man came into possession of the live.fi certificate after noticing that he was able to use [email protected] as an alias to his normal e-mail address, according to a report published Tuesday by Tivi.fi. Recognizing it was a highly privileged address that allowed him to automatically receive sensitive certificates from browser-trusted certificate authority Comodo, the IT worker quickly realized something was amiss. Despite stumbling on the hole in January, Microsoft only took public action Tuesday, some four to six weeks later. According to a roughly worded English translation of the article:
"I noticed the other day that Microsoft's new e-mail service allows to make a number of aliases, or alternate email addresses to the same account," he says. "I tried, just for fun, I could create a similar domain [unintelligible translation] address."
Surprisingly, the account was created successfully. Thus inspired, he decided to try the registrars of data security. Despite the suspicions of the man managed to ask Comodo certificate without any queries.
According to him, the vulnerability was revealed in January. He immediately informed the Finnish Communications Regulatory Authority, but did not get a proper solution to the problem of assistance.
After this, he informed Microsoft to multiple recipients, but none of the company did not respond to queries.
Finally, last week Thursday, the company suddenly announced his frozen Live.fi e-mail address, and as a result, inter alia, the Lumia phone, Xbox account and e-mail going out of business.
Security researchers have complained for years that the Internet's SSL system is hopelessly broken. Every now and then, events like this one come along to remind us that nothing has changed since the last misadventure. There are several proposals aimed at mending these holes but so far, a mechanism known as certificate pinning is the only significant one to be put into practice.
Read on Ars Technica | Comments