Crypto certificates impersonating Google and Yahoo pose threat to Windows users
OS currently has no reliable way to detect bogus credentials released into the wild.
People using Internet Explorer and possibly other Windows applications could be at risk of attacks that abuse counterfeit encryption certificates recently discovered masquerading as legitimate credentials for Google, Yahoo and possibly an unlimited number of other Internet properties.
A blog post published Tuesday by Google security engineer Adam Langley said the fraudulent transport layer security (TLS) certificates were issued by the National Informatics Centre (NIC) of India, an intermediate certificate authority that is trusted and overseen by India's Controller of Certifying Authorities (CCA). The CCA, in turn, is trusted by the Microsoft Root Store, a library that IE and many other Windows apps rely on to process the TLS certificates that banks, e-mail providers, and other online services use to encrypt traffic and prove their authenticity. (Firefox, Thunderbird, and Chrome on Windows aren't at risk. More about that later in this post.)
Spoofed/Fake digital certs is something we see a lot of, with files it easier to see the fake files but with websites is really hard for the user. You can be as careful and not do anything silly and be caught out. Best practices still apply in these cases, and its why we advise people not to use a common password for all website logins. If a site has a bogus cert and your password/login details gets take at least they only have access to that one site. And hopefully the web admin will realise the issues with the certs quickly and fix the issue.