Web authority found issuing 'weak' certificates
An intermediate Web certificate authority had its trust revoked by browser maker Mozilla after it was found to issue "weak" and potentially compromisable certificates.
Mozilla said Entrust Inc., a certificate authority in its root program, indicated its subordinate certificate authority issued 22 certificates with weak keys.
"Malaysian company DigiCert Sdn. Bhd, has issued 22 certificates with weak keys. While there is no indication they were issued fraudulently, the weak keys have allowed the certificates to be compromised," it said.
For now, Mozilla said it is revoking trust in all certificates issued by DigiCert Sdn. Bhd. and the update will be in Firefox 8 and Firefox 3.6.24.
DigiCert Sdn. Bhd is a Malaysian subordinate CA under Entrust and Verizon (GTE CyberTrust), Mozilla pointed out.
But the Malaysian firm bears no affiliation whatsoever with the US-based corporation DigiCert, Inc., which is a member of Mozilla’s root program.
Also, Mozilla said this is not a Firefox-specific issue.
"Nevertheless, given our concerns about the technical practices of this certificate authority, we intend to revoke trust in the DigiCert Sdn. Bhd. intermediate certificate authority," it added.
It noted certificates from DigiCert contain several technical issues.
The certificates lack an EKU extension specifying their intended usage and they have been issued without revocation information, Mozilla added.
Impact
Mozilla said an attacker could use one of these weak certificates to impersonate the legitimate owners.
This could deceive users into trusting websites or signed software appearing to originate from these owners, but actually containing malicious content or software.
"The certificates in question were issued to a mix of Malaysian government websites and internal systems. We do not believe other sites are at risk," it said.
Statement from Entrust
Entrust issued a bulletin on certificates issued with Weak 512-bit RSA Keys by Digicert Malaysia.
Entrust said it has issued an intermediate CA certificate (cross certificate) to Digicert Malaysia which has been licensed for distribution with SSL and S/MIME certificates.
It said it issued the intermediate CA certificate in July 2010.
"It has been discovered that Digicert Malaysia has issued certificates with weak 512-bit RSA keys and missing certificate extensions. Their certificate issuing practices violated their agreement, their CPS, and accepted CA standards," it said.
Digicert Malaysia has revoked all 22 of the 512-bit certificates they issued and have made them available to major browser vendors to blacklist as they deem appropriate.
Entrust said it will revoke the intermediate CA certificate on or before November 8, giving Digicert Malaysia's customers a modest amount of time to replace their SSL server certificates.
Entrust has made the intermediate certificate available to the browser vendors for blacklisting.
But it stressed there is "no evidence that the Digicert Malaysia certificate authorities have been compromised."
"Entrust certificate authorities have not been affected. Entrust continues to put security of its systems and customers first and will continue to monitor its policies and security parameters to ensure the security of Entrust issued digital certificates," it added.
Also, Entrust said it believes that security companies have a duty to take action when security incidents like this occur.
"Upon discovery of the issues with Digicert Malaysia certificates, Entrust took immediate steps to address the situation to ensure the security of Entrust customers and all Internet users," it said.
Dutch authority suspends certs
Meanwhile, a Dutch certificate authority, KPN/Getronics, also announced the suspension of the issuance of digital certificates.
It said a breach has been discovered on a KPN web server related to PKI with the attack dating back to four years, Kaspersky Labs said in a blog post.
"KPN, best known for its telecom business, acquired Getronics four years ago. Former Getronics has a certificate authority similar to Diginotar. Like Diginotar, KPN is allowed to issue 'special' certificates for the Dutch government and public services. In fact, many organizations affected by the Diginotar incident switched to KPN certificates," it said.
But it said it is still not clear if a breach of the CA server(s) can be ruled out or not. Results should come in next week, it added.
Kaspersky noted KPN is a much bigger certificate authority than Diginotar, which also suffered a breach earlier this year
Popular Posts
-
Because you’re a “gadgeteer” looking for a way to connect all your gadgets when you’re on the go, Smart Bro Pocket WiFi is best for you: C...
-
GLOBE Telecom Inc. wants the Aquino administration to stop market leader Philippine Long Distance Telephone Co.'s (PLDT) acquisition of ...
-
In a matter of one week, SkyCable Corp. introduced two new offerings that elevate its Internet package to the 5Mbps /15GB grade and its cab...
-
Mercantile Office System — the authorised distributor of the Taiwan based D-Link (High Speed ADSL Broadband) Company in Nepal — has brought ...
-
Globe Telecom is cracking down on abusive Internet users who hog all the available bandwidth, in the process deteriorating the services for ...
-
Dominant carrier Smart Communications will begin public tests of its long-term evolution (LTE) Internet in Metro Manila ahead of the commerc...
-
The Huawei E5832 wireless modem sends out a Wi-Fi signal to give you internet connection whenever you need it. With your own mobile Wi-Fi co...
-
Tech Mahindra ranked #1 Telecom Software Service Provider Mumbai, July 27, 2011- Tech Mahindra, a global systems integrator and business t...
-
List of Broadband Service Providers 1. sky bradband 2. sun broadband 3. smart broadband 4. destiny broadband 5. globe broadband 6. pl...
-
Stay Connected. Globally. Stay connected to the Internet while traveling in Philippines with XCom Global. Our international broadband wire...