Mozilla, Microsoft withdraw trust in Malaysian intermediate CA
The move follows a bulletin by Entrust which issued the intermediate certificate to the Malaysian company
IDG News Service - Mozilla and Microsoft said Thursday they are revoking trust in all certificates issued by Digicert, a Malaysian intermediate certificate authority (CA), after it was found that it had issued 22 certificates with weak 512-bit keys and missing certificate extensions and revocation information.
The Malaysian company was issued an intermediate CA certificate in July, 2010 by Entrust in Dallas, Texas, which was licensed for distribution with SSL (Secure Sockets Layer) and S/MIME (Secure/Multipurpose Internet Mail Extensions) certificates.
Entrust said in a bulletin on its website that it had been discovered that Digicert Malaysia has issued certificates with weak 512-bit RSA keys and missing certificate extensions. Entrust has revoked the 512-bit certificates issued by Digicert and made them available to major browser vendors to blacklist if found appropriate, it added.
Digicert in Malaysia does not have any relationship with DigiCert, a CA based in Utah.
Digicert in Malaysia could not be immediately reached for comment. It said on its website that it is at the center of an effective trust model that the Malaysian government is creating to address the issue of information security, and the negative perception about online transactions. The company said it was licensed by the Malaysia government, and its "trust solutions are legally recognized under Malaysian law."
Entrust said it will revoke the intermediate CA certificate on or before Tuesday, to give Digicert Malaysia's customers a "modest amount of time" to replace their SSL server certificates. Entrust has meanwhile made the intermediate certificate available to the browser vendors for blacklisting.
The certificates in question were issued to a mix of Malaysian government websites and internal systems, Mozilla said in its security blog. "We do not believe other sites are at risk," it added.
Mozilla is revoking trust in all certificates issued by Digicert in Malaysia, while clarifying that it was not a Firefox specific issue, and the update will be in Firefox 8 and Firefox 3.6.24. Mozilla said the issue was reported to it by Entrust.
Firefox 3.6.24 is scheduled for release on Nov. 8 while Firefox 8 will release on Nov. 17, according to Mozilla.
Microsoft will revoke trust in Digicert Malaysia in an update to be released through Windows Update. said Jerry Bryant, group manager, response communications for Trustworthy Computing at the company, in a blog post.
"There is no indication that any certificates were issued fraudulently, however, these weak keys have allowed some of the certificates to be compromised," Bryant said. The compromised certificates could allow an attacker to impersonate the legitimate owner thus making the user believe they are trusting a website or signed software that was created for malicious use, he added.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts