Certificate Reputation for website owners
Last year, we introduced a new mechanism that Microsoft is building to better protect you against fraudulent certificates on the Web. In this blog post, we are going to explain how we will enable the broader community of site owners to participate in detecting fraudulent certificates and protecting your sensitive personal information on the Internet.
Background
Certificate Reputation allows Microsoft to collect server certificate samples based on telemetry from Windows users and examine them to infer reputation data that helps us protect IE users from fraudulent sites. You can learn more about how certificate reputation works in our post, “Certificate reputation, a novel approach for protecting users from fraudulent certificates.”
More eyes on data allows for better analysis, but confidentiality is also important
In order to provide an opportunity for Web site owners to analyze this data, we are planning to start sharing our certificate samples with their respective domain administrators. Given the sensitivity of this data, only the owners of the Web sites for which the certificates were issued can see those certificates. This allows the people with the best sense of what's expected to participate in monitoring certificate reputation, while preserving the confidentiality of the individual Web sites.
How will it work?
To see the list of certificates associated with a site, the administrator needs to have an account with the Bing Webmaster Tools and to prove that they own that domain name (as described here). After that, the list of certificates associated with the Web site will be available on the Bing Webmaster Tools dashboard and the administrator can download them for further investigation.
How does this help protect me?
Web site administrators are the best entities to decide on authenticity of certificates reported under their name. If a certificate is not issued correctly (or is fraudulent), the administrator can report it back to Microsoft via the Bing Webmaster Tools so that Microsoft can take appropriate actions, including involving the issuing CA for that certificate or informing other browsers.
Certificate Reputation is being rolled out in preview now in the Bing Webmaster Tools, and you can learn more in their blog post, "Track Certificates to Help Users Stay Safe." If your site uses SSL certificates, we encourage you to try it out and provide feedback via the Bing Webmaster Tools.
– Anoosh Saboori, Program Manager, OSG Enterprise Security
Comments
Anonymous
March 10, 2015
Are you guys on board with certificate transparency as a solution to this problem? "If a certificate is not issued correctly (or is fraudulent), the administrator can report it back to Microsoft", really? This just pushes the problem on everyone with a certificate to constantly check bing. It seems like browser vendors need to get on the same page to avoid a patchwork system where it'll be on webmasters/users to protect themselves, rather then relying on the certificate infrastructure.Anonymous
March 13, 2015
Perhaps I am missing something - what confidentiality, exactly? These certificates are provided in the public web anyway.Anonymous
March 20, 2015
@NumbStill: Not all websites using TLS are public and the external certificate does not necessarily match the internal certificate. If IE is hitting an internal website, it doesn't necessarily know that, and so Smartscreen could potentially report Intranet certificates up to Microsoft. That depends on a number of factors, but there'll be cases where it gets the analysis wrong, and sends them a cert it shouldn't. In those cases, those certs could expose network details that could be leveraged by a hacker to attack the internal systems.Anonymous
March 20, 2015
@Davis: Thanks for the feedback! While Microsoft will continue monitoring for suspicious activities in regards to certificate issuance, we believe having an open environment where other experts can also look at data allows for a better coverage. This feature provides that opportunity. @NumbStill: In regards to confidentiality, please see the earlier blog post on certificate reputation, linked in this blog post. In a nutshell, enterprises might have sensitive internal domain names that they may not want to expose to public and hence keeping that private is important.