Originally Posted by
SkyNigger
After Verisign issued 'bogus' Microsoft certificates (their explanation was that someone fooled them into issuing them to Microsoft Corporation, Microsoft was like "eh these things happen, no problemo homie") in like 2001, the question I've asked many times without an answer is WHY ARE VERISIGN STILL IN BUSINESS? No one else really asks that question. Everyone is so wonderfully forgiving.
This guy demolishes Microsoft's insulting claims post-incident. You would have to be a world-class imbecile (almost, Filipino-level stupid) to fail to understand that Microsoft's mistakes aren't really mistakes so much as 'mistakes'. And insulting ones, at that.
Microsoft Security Advisory (2718704)
Unauthorized Digital Certificates Could Allow Spoofing
Published: Sunday, June 03, 2012
Executive Summary
Microsoft is aware of active attacks using unauthorized digital certificates derived from a Microsoft Certificate Authority. An unauthorized certificate could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks. This issue affects all supported releases of Microsoft Windows.
Microsoft is providing an update for all supported releases of Microsoft Windows. The update revokes the trust of the following intermediate CA certificates:
Microsoft Enforced Licensing Intermediate PCA (2 certificates)
Microsoft Enforced Licensing Registration Authority CA (SHA1)
Frequently Asked Questions
What is the scope of the advisory?
The purpose of this advisory is to notify customers that Microsoft has confirmed two unauthorized certificates have been issued by Microsoft and are being used in active attacks. During our investigation, a third Certificate Authority has been found to have issued certificates with weak ciphers.
Microsoft has issued an update for all supported releases of Microsoft Windows that addresses the issue.
For affected devices, no update is available at this time.
Does this update address any other unauthorized digital certificates?
Yes, in addition to addressing the three unauthorized certificates described in this advisory, this update is cumulative and addresses unauthorized digital certificates described in previous advisories: Microsoft Security Advisory 2524375, Microsoft Security Advisory 2607712, and Microsoft Security Advisory 2641690.
Is Windows 8 Release Preview affected by the issue addressed in this advisory?
Yes. The update is available for the Windows 8 Release Preview release. Customers with Windows 8 Release Preview are encouraged to apply the updates to their systems. The updates are only available on Windows Update.
What are certificates used for?
Certificates are used primarily to verify the identity of a person or device, authenticate a service, or encrypt files.
Normally you won’t have to think about certificates at all. You might, however, see a message telling you that a certificate is expired or invalid. In those cases you should follow the instructions in the message.
What is a certification authority (CA)?
Certification authorities are the organizations that issue certificates. They establish and verify the authenticity of public keys that belong to people or other certification authorities, and they verify the identity of a person or organization that asks for a certificate.
What is a Certificate Trust List (CTL)?
A trust must exist between the recipient of a signed message and the signer of the message. One method of establishing this trust is through a certificate, an electronic document verifying that entities or persons are who they claim to be. A certificate is issued to an entity by a third party that is trusted by both of the other parties. So, each recipient of a signed message decides if the issuer of the signer's certificate is trustworthy. CryptoAPI has implemented a methodology to allow application developers to create applications that automatically verify certificates against a predefined list of trusted certificates or roots. This list of trusted entities (called subjects) is called a certificate trust list (CTL). For more information, please see the MSDN article, Certificate Trust Verification.
What caused the issue?
Microsoft is aware of active attacks using unauthorized digital certificates derived from a Microsoft Certificate Authority. A unauthorized certificate could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks. This issue affects all supported releases of Microsoft Windows.
What might an attacker use the issue to do?
An attacker could use these certificates to spoof content, perform phishing attacks, or perform man-in-the-middle attacks.
What is a man-in-the-middle attack?
A man-in-the-middle attack occurs when an attacker reroutes communication between two users through the attacker’s computer without the knowledge of the two communicating users. Each user in the communication unknowingly sends traffic to and receives traffic from the attacker, all the while thinking they are communicating only with the intended user.
What is Microsoft doing to help with resolving this issue?
We have updated the Untrusted Certificate Store to remove the trust in the affected Microsoft certification authorities.
_____________________
You morons just get patronised so nauseously, it should horrify you all.
Well, it would; if you all hadn't been patronised so nauseously, for your entire lives.
What caused the issue?
Microsoft is aware of the issue.
Even though the truth is that unauthorised certificate can be used to take COMPLETE control of your entire system, and by extension, all your systems and all your friends and families systems; here is a patronising explanation of the problems the issue can cause.
Even though the truth is that unsupported versions are affected as well; here is some patronising and redundant information about which releases of Microsoft Windows are affected.
Yes, but what CAUSED the issue?
Microsoft is aware of the issue.
Linear Mode
