Take a look at the certificate presented by "https://www.microsoft.com";.
This was issued in January 2012.
The CA hierarchy is
GTE CyberTrust Global Root
Microsoft Internet Authority
Microsoft Secure Server Authority
So MIcrosoft's sub-sub-CA issued this cert.
Looking at the cert contents:
Subject:
CN (Common Name) = www.microsoft.com
OU (Organizational Unit) = MS
O (Organization) = MSCOM
L (Location) = Redmond
ST (State) = WA
C (Country) = US
The "organization" value of "MSCOM" is wrong. It should be "Microsoft
Corporation".
According to "Baseline Requirements for SSL/TLS Certificates"
(http://www.cabforum.org/Baseline_Requirements_V1.pdf";), from the
CA/Browser Forum (of which Microsoft is a member) "If the
organizationName field is present, the field MUST contain the Subject’s
name or DBA". Putting random strings into the Organization field is not
allowed. It can be omitted, but if present, must be the real
organization. So this is an improperly issued SSL certificate. It should
be replaced and the old one revoked.
We noticed this because our SSL certificate checking system couldn't
identify "MSCOM" as a valid real-world business in Redmond, Washington.
Until January, that certificate said "Microsoft Corporation", matching
Microsoft's legal business identity, SEC filings, and other indicators
of legitimacy. Our
site would bring up Microsoft's SEC filings, revenue, and an aerial
photo of Microsoft HQ. Now we report "microsoft.com" as owned by an
unidentified company.
If we saw this on a less significant site, we'd assume the site had been
hacked.
What else does the Observatory have from Microsoft's sub-CAs?
John Nagle
SiteTruth
650-306-9190
