Report criticizes Microsoft for trusting Thai government root certificate

Spread the love

The organization Privacy International has released a report on government surveillance in Thailand. In it, it pays attention to the fact that Microsoft trusts the government’s digital root certificate, while other parties do not.

In the report, the organization reports that the Thai government has a root certificate, with which it can sign certificates for third parties as an authority. The problem is that this gives the government a lot of power, for example by redirecting users to a malicious site and intercepting encrypted communications. Normally, users receive a warning that this is an untrusted certificate. In the case of Windows users, this is not the case, according to Privacy International, because Microsoft trusts the government certificate by default.

Other companies, such as Apple, Mozilla and Google, would not trust the certificate. Although Windows users are able to remove trusted certificates themselves, Microsoft’s decision has consequences for many users, Privacy International writes. For example, the Thai government is said to have already carried out downgrade attacks on encrypted connections in 2014, causing an encrypted connection to switch to an insecure variant. This would make the content of e-mails transparent, for example. In 2014, a military coup took place in Thailand, during which Facebook could not be reached for a short time. It is unclear whether it was an intentional act or a technical malfunction, the report said.

Microsoft has responded to the criticism, both to Privacy International and The Verge. The company provided the site with a more comprehensive response, saying that Thailand’s root certificate meets its standards. Furthermore, a spokesperson said that “Microsoft only trusts certificates approved by its Root Certificate Program, which involves an extensive research process along with regular third-party audits.” This process would not be reflected in the Privacy International report.

You might also like