Microsoft move to revoke trust in 20 root certificates could wreak havoc on sites

Thousands of websites will generate errors in browsers if their owners don't replace certificates in less than a month

Tens of thousands of secure websites might start to display certificate errors to their visitors in January, when Microsoft plans to stop trusting 20 certificate authorities (CAs) from around the world.

The list of certificates that are scheduled to be removed from Microsoft's Trusted Root Certificate Program belong to CAs run by private or state-owned organizations from the U.S., France, the Czech Republic, Japan, Denmark, Chile, Turkey, Luxembourg, Ireland, Slovenia and Brazil.

With their removal from Microsoft's program, the CAs will also be removed from the certificate trust list in Windows that's used by browsers such as Google Chrome, Internet Explorer and Microsoft Edge, as well as by email clients and other applications that support secure communications over SSL/TLS.

When such applications encounter a certificate on a website or other type of server, they verify its authenticity by checking whether it has been signed by a CA listed in the Windows certificate store, or by an intermediary issuer that's itself signed by such a CA.

Therefore, the removal of a CA's certificate from the Microsoft Trusted Root Certificate Program will essentially render all certificates that chain back to it as untrusted. This doesn't apply just to SSL/TLS certificates, but also to code-signing certificates that are used to validate that software programs have been released by legitimate developers and haven't been modified.

Microsoft will remove the 20 CAs because they either voluntarily chose to leave the root program, or because they failed to comply with more stringent technical and auditing requirements that were published in June, said Aaron Kornblum, program manager for governance, risk management and compliance in Microsoft's Enterprise & Security Group, in a blog post Thursday.

It's not clear how many of the 20 organizations decided to retire their CAs willingly, but some of them were not aware that their certificates have been flagged for removal until yesterday.

"We don't have any information from Microsoft about removing our CA from the MTRCP program," said Miroslav Trávníček, project manager at PostSignum, a CA operated by the state-owned Czech Post. "We have an audit valid until December 2016, which was confirmed by Microsoft," he said via email.

PostSignum provides digital certificates for websites, email encryption and electronic signatures needed to communicate with public institutions. It is on Microsoft's list of CAs that are scheduled to be removed.

Certigna, a CA based in France with over 7,000 customers, learned about the removal plans yesterday when Microsoft published its announcement, according to Arnaud Dubois, the CEO of Dhimyotis, the CA's parent company.

It's because of a change to a contract that hasn't been taken into account, but should be fixed Monday or early next week, Dubois said.

Yannick Leplard, director of research and development at Dhimyotis, explained that the company was supposed to sign a new contract with Microsoft in June committing to respect a number of good practices that the CA already follows.

"We’ve checked and it seems that we only received the draft of the contract, and so Microsoft hasn’t had the real contract from us," he said. "We had a contract marked 'For review only,' so we signed the draft."

A root certificate belonging to DanID, a CA operated by the Danish company Nets, is also listed for removal. Nets runs NemID, an hardware-authentication system widely used in Denmark for online banking, government websites and services operated by private companies.

Nets did not immediately respond to a request for comment. Neither did Serasa Experian, the leading credit bureau in Brazil, or the American financial services company Wells Fargo, both of which have multiple root certificates flagged for removal.

Post.Trust, an Irish CA that Microsoft plans to untrust, already has a notice on its website, informing customers that it has ceased to issue SSL certificates. This might be one of the CAs that voluntarily withdrew from the program.

In its notice, the company says that "SSL certificates issued by Post.Trust will remain valid until expiry." While technically this is true, once Microsoft removes the root certificate, users will begin to see errors when they try to access websites that use Post.Trust-issued certificates. The same is true for certificates that chain back to any of the trusted CAs.

"If you use one of these certificates to secure connections to your server over https, when a customer attempts to navigate to your site, that customer will see a message that there is a problem with the security certificate," Kornblum said. "If you use one of these certificates to sign software, when a customer attempts to install that software on a Windows operating system, Windows will display a warning that the publisher may not be trusted. In either case, the customer may choose to continue."

Even though users have the option to bypass the security warnings and add to exceptions in their browsers, it's likely that many of them won't. Microsoft recommends that owners of certificates linked to the soon-to-be-removed roots obtain replacements for them from other providers. However, they might want to contact their current CAs first and ask if they have any plans to fix this problem.

In an emailed statement, a Microsoft representative clarified that this action is not related to the industry effort of phasing out SHA-1-signed certificates, even though all root certificates flagged for removal have SHA-1 signatures.

The root CAs in question are being removed because they were not able to comply with the audit requirements that Microsoft uses to ensure that their operations are secure and up to industry standards. The company started talking with the  organizations that operate the CAs about the program changes several months ago, to give them ample time to comply, the representative said.

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Cool Tech

Crucial Ballistix Elite 32GB Kit (4 x 8GB) DDR4-3000 UDIMM

Learn more >

Gadgets & Things

Lexar® Professional 1000x microSDHC™/microSDXC™ UHS-II cards

Learn more >

Family Friendly

Lexar® JumpDrive® S57 USB 3.0 flash drive 

Learn more >

Stocking Stuffer

Plox Star Wars Death Star Levitating Bluetooth Speaker

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?