Microsoft Removes Trust in Root Certificates From CAs

Microsoft on Thursday announced that it plans on removing trust on root certificates issued by 11 Certificate Authorities (CAs) in January 2016.

The tech giant explains in a recent blog post that the revoked trust is a consequence of a series of changes to its Trusted Root Certificate Program, which includes more stringent technical and auditing requirements. The company also said that some of the CAs decided to voluntarily leave the program, while others are out of compliance, which results in their root certificates being removed from the Trusted Root CA Store.

The list of CAs to be removed next month includes Certigna, Ceska Posta, CyberTrust, DanID, E-Certchile, e-Tugra, LuxTrust, Nova Ljubljanska, Post.Trust, Secom, and Wells Fargo. A total of 20 certificates will be removed from the Trusted Root CA Store, in an attempt to make the Internet and applications running on users’ devices more trustworthy.

The idea behind the Microsoft Trusted Root Certificate Program was to ensure that devices can determine which programs, apps and websites are trusted by Microsoft. The company explains that this effort usually takes place in the background, meaning no specific user action is required.

The changes made to the program this year were aimed at providing better protection against evolving threats affecting websites and the apps ecosystem. The removal of the said root certificates is one step in this direction, and is expected to impact only a small number of customers, namely those who own certificates issued by one of the aforementioned 11 CAs.

Owners of digital certificates currently trusted by Microsoft are encouraged to have a close look at the list to take action where necessary. Provided that the services these customers manage depend on one of the certificates that Microsoft is about to remove, services are expected to be impacted, the company notes.

If one of these certificates is used to secure connections to a server over https, users will receive a message that there is an issue with the security certificate when trying to navigate to the website. If the certificate is used to sign software, Windows will inform users that the publisher may not be trusted when trying to install the software. Users will be provided with the option to continue in both cases.

“We strongly encourage all owners of digital certificates currently trusted by Microsoft to review the below list and investigate whether their certificates are associated with any of the roots we will be removing as part of the update. If you use a certificate that was issued by one of these companies, we strongly recommend that you obtain a replacement certificate from another program provider,” the tech company notes.

The complete list of providers is available on Microsoft’s TechNet website. The root of digital certificates can be easily determined directly from the browser, after navigating to the desired webpage.

On Microsoft Edge, users should click the Lock icon in the web address field and can view the company that owns the root under “Website Identification.” In Internet Explorer, users should click the Lock icon > View Certificates > Certification Path, which displays the certificate name at the top. In Chrome, users can click Lock icon > Connection > Certificate Information > Certification Path, while in Firefox they should go to Lock icon > More Information > View Certificate > Click Details.

Last month, a piece of malicious adware dubbed “Vonteera” was found to be tricking the operating system into adding digital certificates from security companies to an untrusted list. Also in November, it was discovered that computer maker Dell had preloaded devices with a self-signed root certificate which was deemed to pose serious security and privacy risks.

Last week, Google announced that it would remove a Symantec root certificate from Chrome, Android and other products over the coming weeks in an effort to protect its customers, after Simantec announced on Dec. 1 that it had discontinued the VeriSign G1 root certificate, used to issue public code signing and TLS/SSL certificates.