Microsoft denies helping Thai military government spy on web users

Certificate authorities trusted by Microsoft all independently audited, claims company

Microsoft has denied helping the military government in Thailand spy on opposition figures and people suspected of breaking its lese majeste laws - insulting the monarchy - and claimed that the default trust for the country's national root certificate in Windows is completely secure.

The claims were made today in a new report by campaigning group Privacy International. But in a statement to Computing, Microsoft rejected the organisation's claims, pointing to the independent auditing of all root certificate authorities ‘trusted' by the company.

Privacy International's claims are contained in a report called "Who's that knocking at my door: Understanding Surveillance in Thailand".

In it, Privacy International asserts that Microsoft's support means that the Thai military government is potentially able to use its control of the root certificate authority to launch man-in-the-middle attacks, in order to capture people's log-in details to social media accounts, online banking accounts, and more, according to the campaigning organisation.

Nation state control over root certificate authorities has been mis-used by governments in the past. For example, by the authoritarian former government of Tunisia until its overthrow in the Arab spring in January 2011.

Neither Apple, nor Google, nor Mozilla trust Thailand's national root certificate by default.

"The reason the redirection toward a malicious website is not detected is because a user's computer trusts the root certificate. Operating systems like Mac or Windows come with a series of trusted root certificates by default. As long as your operating system trusts a root certificate it can be impossible to detect a malicious use," suggests the report.

"In addition, web browsers can have their own independent certificate stores that may not match that of the operating system. This can be good and bad. If an operating system does not trust a given certificate but the browser does, the user will be unlikely to be given a warning about an untrustworthy site.

"However, the more likely scenario is that a browser will trust a subset of those certificates trusted by the operating system. Of course, other services, such as email and virtual private networks, may rely on the operating system trust store and therefore be vulnerable to attacks that SSL web traffic may not."

The organisation claims that Thailand's military government is using a combination of direct control of communications companies and the deployment of various techniques to crack encrypted communications to spy on people. Control of the nation's own root certificate authority is just one aspect of this surveillance strategy.

The Thai government has also been accused of liberally deploying its lese-majeste laws against opponents, especially following the death of Thailand's late King Bhumibol.

"It is concerning to see that Microsoft trusts the Thai national root certificate by default when every other company we looked at - Apple, Mozilla and Google - appears to have made the decision not to trust it," said Privacy International research officer Eva Blum-Dumontet.

She suggested that Microsoft's decision made Windows users in Thailand particularly vulnerable to invasions of privacy and state surveillance "should the Thai military government misuse the root certificate".

She added: "Trusting a national root certificate from a country whose governments have a history of human right violations and a poor record on civil rights and freedom of speech should not be taken lightly."

Microsoft, though, has argued that the Thai national root certificates are perfectly safe.

"Microsoft only trusts certificates issued by organisations that receive Certificate Authority through the Microsoft Root Certificate Programme," a spokesperson told Computing. "This programme is an extensive review process that includes regular audits from a third-party web trust auditor.

"Thailand has met the requirements of our program and you can review the details of the latest audits here and here (PDF). This thorough review, backed by contractual obligations, is not reflected in Privacy International's assessment of the risks."