Microsoft takes 4 years to recover privileged TLS certificate addresses

On Tuesday, Ars chronicled Microsoft's four- to six-week delay responding to a Finnish man who had obtained a Windows Live e-mail address that allowed him to register unauthorized transport layer security certificates for the live.fi domain. Today comes the tale of a Belgian IT worker who has waited more than four years to return two similar addresses for the live.be domain.

Microsoft's delay in securing the addresses such as [email protected] and [email protected] has potential consequences for huge numbers of people. Browser-trusted certificate authorities such as Comodo grant unusually powerful privileges to people with such an address. All the account holders had to do was ask for a domain-validated TLS certificate for live.fi or live.be. Once they clicked a validation link Comodo sent to their e-mail addresses, the certificates were theirs. Comodo's automatic certificate application also works for addresses with the words admin, postmaster, and webmaster immediately to the left of the @ and the domain name for which the certificate is being applied.

It came as a surprise that Microsoft waited until this week to respond to the Finnish man's report, reportedly from January, that he came into possession of the [email protected] address. One would have expected such addresses to be locked down tight to begin with. Once a breach of this policy was reported, it would have been reasonable to assume Microsoft security personnel would respond to it within a day or two, if not sooner. But the Belgian IT worker's e-mail reveals a mind-boggling wait of more than four years for company officials to respond to his private and voluntary report he was sitting on the addresses [email protected] and [email protected].

Read 12 remaining paragraphs | Comments