What went wrong, and why
Digital certificates underlie all secure online communications. They make sure the credit-card data you provide Amazon or Apple is safely transmitted. When you see “https” in a Web address, a digital certificate has proven to your Web browser that the website is what it says it is, and not a fake Amazon clone run by some joker in Eastern Europe.
Unfortunately, the digital-certificate oversight system is a mess. There are only a few “root” certificate authorities (CAs), such as Microsoft, but each has arrangements with dozens of regional and national second-tier CAs around the world, and most of those have their own arrangements with third-tier local CAs.
For the online “Web of trust” to function, all participants have to trust each other, with the result that Microsoft, for example, is obligated to guarantee the authenticity of digital certificates issued by organizations it knows nothing about.
On June 25, an Indian government agency authorized to issue digital certificates on behalf of the main Indian CA, which is in turn recognized by Microsoft, issued at least four bogus certificates, apparently as a result of a security breach, that would let any website claim it was Google or Yahoo.
Google found the fake certificates July 2, and pushed out an emergency update to the Google Chrome browser that would reject them. The Indian government revoked the certificates the next day.
Unfortunately, Microsoft implicitly trusts all certificates backed by the Indian government, which means Internet Explorer and other Web-facing Microsoft software on Windows is still vulnerable. Worse, there may be other fake certificates bearing the Indian government’s stamp out there.
“The four certificates provided included three for Google domains (one of which we were previously aware of) and one for Yahoo domains,” wrote Google security engineer Adam Langley in a blog posting yesterday (July 9). “However, we are also aware of mis-issued certificates not included in that set of four and can only conclude that the scope of the breach is unknown.”
What Microsoft — and you — can do about this
The last time a certificate breach on this scale happened, Microsoft pushed out a Windows update that de-recognized all certificates issued by a Dutch company that had had its certificates stolen by Iranian hackers, and the company went out of business.
It’s unlikely that Microsoft could do the same with the Indian government, but until it does something to fix the problem, no one should use Internet Explorer to access any website that uses HTTPS secure communications — no online shopping, Webmail, Facebook or online banking. (Viewing websites that don’t use HTTPS, such as Tom’s Guide, should still be okay.)
To make sure other applications, such as Outlook or Word, don’t open up Web links in Internet Explorer, you’ll have to change your default programs. Here’s how:
2. Open up Control Panel and, in the search box, search for Default Programs.
3. Click Default Programs.
4. Click “Set your default programs.”
5. Select either Firefox or Google Chrome.
6. Select “Select this program as default” at the bottom of the dialog box.
7. Click OK.
UPDATE: Microsoft has revoked the affected certificates and pushed out an update to systems that permit automatic updates of digital certificates.
Users of Windows 8, 8.1, RT or R 8.1. will not have to take any action. Users of Windows Vista or Windows 7 will need to install Microsoft’s automatic certificate updater, available under “Downloads” on its specific Microsoft support page.