Microsoft blacklists fraudulently issued SSL certificate
Microsoft released an update to blacklist an SSL certificate for one of its domain names that was issued to an unauthorized third party.
Microsoft released an update to blacklist an SSL certificate for one of its domain names that was issued to an unauthorized third party.
New cases of insecure HTTPS traffic interception are coming to light as researchers probe software programs for implementations that could enable malicious attacks. The latest software to open a man-in-the-middle hole on users' PCs is a new version of PrivDog, an advertising product with ties to security vendor Comodo.
While many (but not all) users are familiar with the concept of security software, there are more basic ways to protect unwary surfers from phishing sites, botnets, intrusive advertising and other unwanted visitors: DNS services.
As a safety precaution to prevent SSL server certificates being exploited for network man-in-the-middle attacks on organizations, vendors that issue SSL server certificates will begin adhering to new issuance guidelines as of Nov. 1. These new rules, as described by members of the industry group Certificate Authority/Browser Forum, mean certificate authorities (CAs) will not issue certificates that contain "internal names" and expire after Nov. 1, 2015.
It's generally accepted that antivirus programs provide a necessary protection layer, but organizations should audit such products before deploying them on their systems because many of them contain serious vulnerabilities, a researcher warned.