Web authority found issuing 'weak' certificates
An intermediate Web certificate authority had its trust revoked by browser maker Mozilla after it was found to issue "weak" and potentially compromisable certificates.
Mozilla said Entrust Inc., a certificate authority in its root program, indicated its subordinate certificate authority issued 22 certificates with weak keys.
"Malaysian company DigiCert Sdn. Bhd, has issued 22 certificates with weak keys. While there is no indication they were issued fraudulently, the weak keys have allowed the certificates to be compromised," it said.
For now, Mozilla said it is revoking trust in all certificates issued by DigiCert Sdn. Bhd. and the update will be in Firefox 8 and Firefox 3.6.24.
DigiCert Sdn. Bhd is a Malaysian subordinate CA under Entrust and Verizon (GTE CyberTrust), Mozilla pointed out.
But the Malaysian firm bears no affiliation whatsoever with the US-based corporation DigiCert, Inc., which is a member of Mozilla’s root program.
Also, Mozilla said this is not a Firefox-specific issue.
"Nevertheless, given our concerns about the technical practices of this certificate authority, we intend to revoke trust in the DigiCert Sdn. Bhd. intermediate certificate authority," it added.
It noted certificates from DigiCert contain several technical issues.
The certificates lack an EKU extension specifying their intended usage and they have been issued without revocation information, Mozilla added.
Impact
Mozilla said an attacker could use one of these weak certificates to impersonate the legitimate owners.
This could deceive users into trusting websites or signed software appearing to originate from these owners, but actually containing malicious content or software.
"The certificates in question were issued to a mix of Malaysian government websites and internal systems. We do not believe other sites are at risk," it said.
Statement from Entrust
Entrust issued a bulletin on certificates issued with Weak 512-bit RSA Keys by Digicert Malaysia.
Entrust said it has issued an intermediate CA certificate (cross certificate) to Digicert Malaysia which has been licensed for distribution with SSL and S/MIME certificates.
It said it issued the intermediate CA certificate in July 2010.
"It has been discovered that Digicert Malaysia has issued certificates with weak 512-bit RSA keys and missing certificate extensions. Their certificate issuing practices violated their agreement, their CPS, and accepted CA standards," it said.
Digicert Malaysia has revoked all 22 of the 512-bit certificates they issued and have made them available to major browser vendors to blacklist as they deem appropriate.
Entrust said it will revoke the intermediate CA certificate on or before November 8, giving Digicert Malaysia's customers a modest amount of time to replace their SSL server certificates.
Entrust has made the intermediate certificate available to the browser vendors for blacklisting.
But it stressed there is "no evidence that the Digicert Malaysia certificate authorities have been compromised."
"Entrust certificate authorities have not been affected. Entrust continues to put security of its systems and customers first and will continue to monitor its policies and security parameters to ensure the security of Entrust issued digital certificates," it added.
Also, Entrust said it believes that security companies have a duty to take action when security incidents like this occur.
"Upon discovery of the issues with Digicert Malaysia certificates, Entrust took immediate steps to address the situation to ensure the security of Entrust customers and all Internet users," it said.
Dutch authority suspends certs
Meanwhile, a Dutch certificate authority, KPN/Getronics, also announced the suspension of the issuance of digital certificates.
It said a breach has been discovered on a KPN web server related to PKI with the attack dating back to four years, Kaspersky Labs said in a blog post.
"KPN, best known for its telecom business, acquired Getronics four years ago. Former Getronics has a certificate authority similar to Diginotar. Like Diginotar, KPN is allowed to issue 'special' certificates for the Dutch government and public services. In fact, many organizations affected by the Diginotar incident switched to KPN certificates," it said.
But it said it is still not clear if a breach of the CA server(s) can be ruled out or not. Results should come in next week, it added.
Kaspersky noted KPN is a much bigger certificate authority than Diginotar, which also suffered a breach earlier this year
