Last year, we introduced a new mechanism that Microsoft is building to better protect you against fraudulent certificates on the Web. In this blog post, we are going to explain how we will enable the broader community of site owners to participate in detecting fraudulent certificates and protecting your sensitive personal information on the Internet.
Background
Certificate Reputation allows Microsoft to collect server certificate samples based on telemetry from Windows users and examine them to infer reputation data that helps us protect IE users from fraudulent sites. You can learn more about how certificate reputation works in our post, “Certificate reputation, a novel approach for protecting users from fraudulent certificates.”
More eyes on data allows for better analysis, but confidentiality is also important
In order to provide an opportunity for Web site owners to analyze this data, we are planning to start sharing our certificate samples with their respective domain administrators. Given the sensitivity of this data, only the owners of the Web sites for which the certificates were issued can see those certificates. This allows the people with the best sense of what’s expected to participate in monitoring certificate reputation, while preserving the confidentiality of the individual Web sites.
How will it work?
To see the list of certificates associated with a site, the administrator needs to have an account with the Bing Webmaster Tools and to prove that they own that domain name (as described here). After that, the list of certificates associated with the Web site will be available on the Bing Webmaster Tools dashboard and the administrator can download them for further investigation.
How does this help protect me?
Web site administrators are the best entities to decide on authenticity of certificates reported under their name. If a certificate is not issued correctly (or is fraudulent), the administrator can report it back to Microsoft via the Bing Webmaster Tools so that Microsoft can take appropriate actions, including involving the issuing CA for that certificate or informing other browsers.
Certificate Reputation is being rolled out in preview now in the Bing Webmaster Tools, and you can learn more in their blog post, “Track Certificates to Help Users Stay Safe.” If your site uses SSL certificates, we encourage you to try it out and provide feedback via the Bing Webmaster Tools.
– Anoosh Saboori, Program Manager, OSG Enterprise Security