Author

Topic: Microsoft Approves Thai Government's Root Certificate, Which Could Enable Spying (Read 211 times)

legendary
Activity: 1540
Merit: 1011
FUD Philanthropist™
Another reason to not trust MS.. can't stand them.  Angry
legendary
Activity: 1049
Merit: 1006


Microsoft Approves Thai Government's Root Certificate, Which Could Enable Spying

http://www.tomshardware.com/news/microsoft-thai-government-root-certificate,33505.html

Privacy International, a UK-based nonprofit founded in 1990, released a report showing that Microsoft is the only operating system vendor to have approved the Thai military government's root certificate by default, which is managed by the Electronic Transaction Development Agency (ETDA). The nonprofit worries that the Thai government could now perform "man-in-the-middle" (MITM) attacks against Thai citizens.

Thai Government's Tight Grip On Internet Companies

According to Privacy International, the political environment in Thailand right now is such that it would be difficult for companies to deny a data request, because there isn't a strong legal framework in place that's also well enforced. In other words, companies can't bet on having the law on their side over there. (...)

Windows Only OS To Approve Thai Government Root Certificate

The interception would be unnoticed by the target if the root certificate is trusted by default on an operating system such as Windows or macOS. Privacy International said it noticed that Windows does include the Thai government certificate, whereas macOS does not. Privacy International then asked Microsoft how its root certificate approval works, considering it's been the only one to approve the Thai government's root certificate so far. Microsoft seems to have replied more than two months later, saying it can't disclose how it decided exactly to approve the Thai government certificate, but that the overall approval strategy is found on its website. (...)

Microsoft's Silent Root Certificate Updates

Microsoft has added dozens of new root certificates over the past few years, usually without making it public, and with only a few security researchers discovering when it happened. Some of the silently added root certificates have been attributed to the now infamous WoSign Chinese Certificate Authority (CA). That's the same CA that was punished by Google and Mozilla late last year over backdating of SHA1 certificates and failing to disclose that it bought another CA.

Microsoft's decision to hide, or at least not announce when it added more root certificates to Windows, is quite strange. Root certificates are a highly important component of the overall security of an operating system, and more importantly, it defines how much trust users can place in one. Microsoft refusing to say how exactly it approves root certificates isn't helping matters much either. (...)

Source: Tom's Hardware



Jump to: