Microsoft warns against false SSL certificate for Windows Live

Microsoft has warned about a fake SSL certificate usable for the Finnish domain for Windows Live. Malicious persons could use the fake certificate to mount a trusted man in the middle attack.

The erroneous certificate was issued for the domain Live.fi, which is indeed owned by Microsoft for the software maker’s Windows Live services. According to Microsoft, the fake SSL certificate cannot be used to generate other certificates or certify code. An attacker could, however, use the certificate to, if he can intercept a user’s connection, serve a fake website and thus intercept login data, for example. The user cannot see that something is wrong, because the certificate appears to be correct.

Microsoft has updated its own certificate revocation list, which should no longer affect users of Internet Explorer and Chrome on Windows. Firefox manages its own certificates, as does Chrome on other operating systems; it is unclear whether the forged certificate has also been made inaccessible on those configurations. Microsoft says it has no indications that an attack has taken place using the fake certificate.