|
Title: Microsoft Approves Thai Government's Root Certificate, Which Could Enable Spying Post by: TheIrishman on January 27, 2017, 02:08:09 PM https://i.imgur.com/xibkJ2E.jpg
Microsoft Approves Thai Government's Root Certificate, Which Could Enable Spying http://www.tomshardware.com/news/microsoft-thai-government-root-certificate,33505.html (http://www.tomshardware.com/news/microsoft-thai-government-root-certificate,33505.html) Privacy International, a UK-based nonprofit founded in 1990, released a report showing that Microsoft is the only operating system vendor to have approved the Thai military government's root certificate by default, which is managed by the Electronic Transaction Development Agency (ETDA). The nonprofit worries that the Thai government could now perform "man-in-the-middle" (MITM) attacks against Thai citizens. Thai Government's Tight Grip On Internet Companies According to Privacy International, the political environment in Thailand right now is such that it would be difficult for companies to deny a data request, because there isn't a strong legal framework in place that's also well enforced. In other words, companies can't bet on having the law on their side over there. (...) Windows Only OS To Approve Thai Government Root Certificate The interception would be unnoticed by the target if the root certificate is trusted by default on an operating system such as Windows or macOS. Privacy International said it noticed that Windows does include the Thai government certificate, whereas macOS does not. Privacy International then asked Microsoft how its root certificate approval works, considering it's been the only one to approve the Thai government's root certificate so far. Microsoft seems to have replied more than two months later, saying it can't disclose how it decided exactly to approve the Thai government certificate, but that the overall approval strategy is found on its website. (...) Microsoft's Silent Root Certificate Updates Microsoft has added dozens (https://hexatomium.github.io/2015/06/26/ms-very-quietly-adds-18-new-trusted-root-certs/) of new root certificates (https://hexatomium.github.io/2016/10/11/unannounced-root-cert-update/) over the past few years, usually without making it public, and with only a few security researchers discovering when it happened. Some of the silently added root certificates have been attributed to the now infamous WoSign (http://www.tomshardware.com/news/google-certificate-transparency-mozilla-wosign,32919.html) Chinese Certificate Authority (CA). That's the same CA that was punished by Google and Mozilla late last year over backdating of SHA1 certificates and failing to disclose that it bought another CA. Microsoft's decision to hide, or at least not announce when it added more root certificates to Windows, is quite strange. Root certificates are a highly important component of the overall security of an operating system, and more importantly, it defines how much trust users can place in one. Microsoft refusing to say how exactly it approves root certificates isn't helping matters much either. (...) Source: Tom's Hardware (http://www.tomshardware.com/news/microsoft-thai-government-root-certificate,33505.html) Title: Re: Microsoft Approves Thai Government's Root Certificate, Which Could Enable Spying Post by: Spoetnik on January 28, 2017, 06:47:30 AM Another reason to not trust MS.. can't stand them. >:(
|
