Privacy International: Microsoft's auditing of certificate authorities "symbolic"

Privacy group refutes Microsoft's claims that Thai root certificates are completely safe

Microsoft's arguments that root certificates issued by Thailand's own national certificate authority are secure because it is independently audited have been criticised by campaigners, who say that the auditors cannot possibly pick-up every potential attempt to hack users by a certificate authority.

The claims were made in a report published by Privacy International yesterday, and covered in Computing.

Issued by supposedly trusted authorities, digital certificates are supposed to provide web users trust that the websites they browse are legitimate.

The root certificates are baked-in to both the Windows operating system and Microsoft's web browsers. Any website bearing a certificate issued from the authority will automatically be trusted by the user's operating system.

Significantly Apple, Google and Mozilla don't trust Thailand's certificate authority because of its close links to government, but certificates built-in by default to operating systems typically over-rule web browsers.

It is feared that the Thai government could exert its authority over the certificate organisation to operate man-in-the-middle attacks and, potentially, to re-direct users to malicious websites where they could acquire user names and logins to social media accounts, email and other systems without users knowledge.

But Privacy International is keen to point out that Microsoft's independent auditing mechanism, which certifies the security of certificate authorities, is not a sufficient guarantee for users faced with a determined government.

Indeed, the auditing organisation themselves have pointed some of the flaws in the system. It admits: "Controls may not prevent, or detect and correct, error, fraud, unauthorised access to systems and information, or failure to comply with internal and external policies or requirements."

It adds: "The WebTrust seal of assurance for Certification Authorities on ETDA's Thailand NRCA website constitutes a symbolic representation," claimed Privacy International, in response to Microsoft's own assertions to Computing that its auditing and certification processes meant that certificates issued by Thailand's own authority could be trusted.

Yesterday, a Microsoft spokesman had been keen to assert that Microsoft's processes were robust and the Thai certificate authority was therefore trustworthy.

"Microsoft only trusts certificates issued by organisations that receive Certificate Authority through the Microsoft Root Certificate Programme," a spokesperson told Computing.

They added: "This programme is an extensive review process that includes regular audits from a third-party web trust auditor. "Thailand has met the requirements of our program and you can review the details of the latest audits here and here (PDF). This thorough review, backed by contractual obligations, is not reflected in Privacy International's assessment of the risks."