Microsoft Unveils New Bing Certificate-Tracking Tool for Webmasters

The software giant is helping webmasters combat fraudulent site certificates with an update to Bing Webmaster Tools.

Bing Webmaster Tools

Microsoft has updated Bing Webmaster Tools with new monitoring and reporting options that users can employ to fight back against fraudulent Websites that may be tarnishing their presumably good names.

A preview of the feature, simply called Track Certificates, is found under the Security section, which also now contains the Malware Re-Evaluation tool and "allows you to track and review certificates that were requested by browsers visiting your site right from within Bing Webmaster Tools," announced Vincent Wehren, senior product lead of Bing Webmaster and Publisher Experiences at Microsoft, in a statement. The tool was built in collaboration with Microsoft's Operating Systems Group (OSG) Enterprise Security unit, he noted.

Website operators have been struggling with fraudulent Secure Sockets Layer (SSL) certificates for years. Last month, the Certificate Authority Security Council (CASC), which counts GoDaddy, Comodo, DigiCert, Symantec and GlobalSign among its members, reported that it was making progress in safeguarding this vital piece of the Web security puzzle with efforts like Certificate Authority Authorization (CAA) and the elimination of "Internal Names," or non-unique identifiers, from SSL certificates.

A year ago, Microsoft introduced its own approach called Certificate Reputation that uses Internet Explorer (IE) 11 telemetry—provided that users selected the browser's SmartScreen feature—to verify a certificate's validity. "If a new certificate issued by a different trusted CA (other than the one the site uses typically) is detected for a site, Certificate Reputation can flag it automatically," explained Microsoft.

Now Webmasters can join the hunt. "Track Certificate not only shows you the certificates we encountered, you can also directly report certificates to Microsoft if they look fraudulent or suspicious," said Wehren. "All reported certificates will be reviewed and appropriate action will be taken by Microsoft, including involving the issuing Certificate Authority, or informing other browser manufacturers about the certificate."

Users can review certificates and determine a certificate's host, the name of the entity to whom the certificate was issued and the issuing Certificate Authority (CA). In addition, the tool reports when the Certificate Reputation service first and last encountered a certificate and when it will expire. Finally, users can download the certificate for a closer look (X.509 in binary DER format, PKCS#7 support is in the works), and if necessary, report bogus certificates to Microsoft.

Wehren cautioned that given the source of the data used by Track Certificates, it is very much a preview release.

The telemetry captured by Microsoft Certificate Reputation system is currently limited to browsers running on the company's upcoming Windows 10 operating system. "Since Windows 10 is currently available as a Preview to the Windows Insider Program, the data collected is not yet as comprehensive as it will be once Windows 10 becomes available more broadly to the general public," Wehren said.

Microsoft released the tool on the belief that Webmasters are the ultimate gatekeepers for their own sites, he asserted. "With Track Certificates, we allow webmasters and site owners to review certificates that were requested by browsers when accessing their site and to report them to Microsoft should they be suspicious."

Pedro Hernandez

Pedro Hernandez

Pedro Hernandez is a contributor to eWEEK and the IT Business Edge Network, the network for technology professionals. Previously, he served as a managing editor for the network of...