Mozilla and Microsoft said Thursday they are revoking trust in all certificates issued by Digicert, a Malaysian intermediate certificate authority (CA) , after it was found that it had issued 22 certificates with weak 512-bit keys and missing certificate extensions and revocation information.
The Malaysian company was issued an intermediate CA certificate in July 2010 by Entrust in Dallas, Texas, which was licensed for distribution with SSL (Secure Sockets Layer) and S/MIME (Secure/Multipurpose Internet Mail Extensions) certificates.
[ Go deep into HTML5 programming in InfoWorld's "HTML5 Megaguide Deep Dive" PDF how-to report. Then understand the issues surrounding HTML5 today in InfoWorld's HTML5 Deep Dive PDF strategy report. | Learn how to secure your Web browsers in InfoWorld's "Web Browser Security Deep Dive" PDF guide. ]
Entrust said in a bulletin on its website that it had been discovered that Digicert Malaysia has issued certificates with weak 512-bit RSA keys and missing certificate extensions. Entrust has revoked the 512-bit certificates issued by Digicert and made them available to major browser vendors to blacklist if found appropriate, it added.
Digicert in Malaysia does not have any relationship with DigiCert, a CA based in Utah.
Digicert in Malaysia could not be immediately reached for comment. It said on its website that it is at the center of an effective trust model that the Malaysian government is creating to address the issue of information security, and the negative perception about online transactions. The company said it was licensed by the Malaysia government, and its "trust solutions are legally recognized under Malaysian law".
Entrust said it will revoke the intermediate CA certificate on or before Tuesday, to give Digicert Malaysia's customers a "modest amount of time" to replace their SSL server certificates. Entrust has meanwhile made the intermediate certificate available to the browser vendors for blacklisting.
The certificates in question were issued to a mix of Malaysian government websites and internal systems, Mozilla said in its security blog. "We do not believe other sites are at risk," it added.
Mozilla is revoking trust in all certificates issued by Digicert in Malaysia, while clarifying that it was not a Firefox specific issue, and the update will be in Firefox 8 and Firefox 3.6.24. Mozilla said the issue was reported to it by Entrust.
Firefox 3.6.24 is scheduled for release on Nov. 8 while Firefox 8 will release on Nov. 17, according to Mozilla.
Microsoft will revoke trust in Digicert Malaysia in an update to be released through Windows Update. said Jerry Bryant, group manager, response communications for Trustworthy Computing at the company, in a blog post.
"There is no indication that any certificates were issued fraudulently, however, these weak keys have allowed some of the certificates to be compromised," Bryant said. The compromised certificates could allow an attacker to impersonate the legitimate owner thus making the user believe they are trusting a website or signed software that was created for malicious use, he added.
Google is blocking serial numbers that correspond to the 22 certificates. As a larger measure, it plans to block the Digicert certificate by Tuesday, the date also decided upon by Entrust.
There is no evidence that the Digicert Malaysia certificate authorities have been compromised, Entrust said.
Close to 300,000 unique IP addresses from Iran requested access to google.com using a rogue certificate issued by Dutch CA DigiNotar, according to a report released in September by security firm, Fox-IT. A total of 531 digital certificates were issued for domains that included google.com, the CIA, and Israel's Mossad, after a security breach.