We’re starting the new year off with a bang. Microsoft has released a slew of updates, and now’s the time for our semiannual housecleaning of Windows root certificates.
A Microsoft update — KB 2798897 — helps clean up a root-cert mess left by a Turkish certificate issuer.
A root-certificate issuer drops the ball
Back in the Sept. 8, 2011, Top Story, “Certificate cleanup for most personal computers,” I reported on a break-in at a Dutch company that manages security certificates. In that story, I recommended reviewing certificates installed on your PC and removing any that were out of date or suspect. Thanks to a mishandling of root certificates by SSL vendor TURKTRUST, we need to revisit our installed certificates again.
According to Microsoft Security Advisory 2798897 and various other sources, TURKTRUST issued a fraudulent digital certificate which has resulted in actual attacks. Reportedly, the company — in 2011 — accidentally handed out a root certificate authority (CA) to a customer when it should have issued regular SSL certificates.
A Jan. 3 Google blog reported that it “detected and blocked an unauthorized digital certificate for the *.google.com domain,” and a Kaspersky Lab Threatpost article gives a more detailed history of the event. (I’ve purchased regular SSL certs, and they are significantly less expensive than root CAs — which makes me wonder whether there’s more to this story.)
By now, KB 2798897 should have shown up in XP and Win7. To move the bogus certificate into the Untrusted Certificate folder, follow the steps detailed in the Sept. 8 Top Story. Navigate down to the Untrusted Certificates folder and, in the certificates subfolder, look for TURKTRUST and *.google.com certificates (shown in Figure 1).
While we’re at this, let’s review the certificates in the trusted root certificate authorities folder to ensure we want them there. As noted in KB 933430, Windows servers that process SSL transactions can run into trouble if their trusted-root store grows too big.