Microsoft revokes wrongly issued French govt SSL certificate

Microsoft will revoke a digital secure sockets layer (SSL) certificate that was wrongly issued and which could be used for content spoofing and attacks.

SSL certificates are used to secure internet traffic by authenticating end points and encrypting the data transmitted.

The dodgy certificate affects web browsers in all versions of Windows, including Microsoft's mobile operating system Windows Phone, the company said in a security advisory.

Users on newer versions of Windows do not need to do anything as they will be automatically updated to remove trust for the certificate. Windows XP users and those who do not install the automatic updater of revoked certificates, however, will not receive an update.

The security breach was discovered in early December. Over the weekend Google warned it had become "aware of unauthorised digital certificates" for several of its domains.

The certificate was issued by an intermediate certificate authority (CA) operated by France's Treasury department, Google found. It carried the full authority of the primary French CA, Agence nationale de la sécurité des systèmes d’information (ANSSI).

ANSSI investigated the issue after having been alerted to it by Google.

It said the intermediate CA certificate was used to inspect encrypted traffic with user's knowledge on a private network, with a commercial device, in violation of the national IT authority's usual procedures.

As the certificate was trusted by browsers, it would be possible for the government agency to circumvent SSL authentication and encryption of traffic by pretending to be Google so as to spy on the information sent across the network in question.

At this stage, it is not known if the dodgy certificate was used elsewhere. In 2011, Dutch CA DigiNotar was caught issuing bogus certificates for Google, after it was hacked.

Chrome has since had its certification data updated to block the CA, but Google security engineer Adam Langley labeled the incident "a serious breach" and called for more transparency around certificates to help prevent future mistakes.