Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

Mozilla, Microsoft withdraw trust in Malaysian intermediate CA

The move follows a bulletin by Entrust which issued the intermediate certificate to the Malaysian company

Mozilla and Microsoft said Thursday they are revoking trust in all certificates issued by Digicert, a Malaysian intermediate certificate authority (CA) , after it was found that it had issued 22 certificates with weak 512-bit keys and missing certificate extensions and revocation information.

The Malaysian company was issued an intermediate CA certificate in July, 2010 by Entrust in Dallas, Texas, which was licensed for distribution with SSL (Secure Sockets Layer) and S/MIME (Secure/Multipurpose Internet Mail Extensions) certificates.

Entrust said in a bulletin on its website that it had been discovered that Digicert Malaysia has issued certificates with weak 512-bit RSA keys and missing certificate extensions. Entrust has revoked the 512-bit certificates issued by Digicert and made them available to major browser vendors to blacklist if found appropriate, it added.

Digicert in Malaysia does not have any relationship with DigiCert, a CA based in Utah.

Digicert in Malaysia could not be immediately reached for comment. It said on its website that it is at the center of an effective trust model that the Malaysian government is creating to address the issue of information security, and the negative perception about online transactions. The company said it was licensed by the Malaysia government, and its "trust solutions are legally recognized under Malaysian law".

Entrust said it will revoke the intermediate CA certificate on or before Tuesday, to give Digicert Malaysia's customers a "modest amount of time" to replace their SSL server certificates. Entrust has meanwhile made the intermediate certificate available to the browser vendors for blacklisting.

The certificates in question were issued to a mix of Malaysian government websites and internal systems, Mozilla said in its security blog. "We do not believe other sites are at risk," it added.

Mozilla is revoking trust in all certificates issued by Digicert in Malaysia, while clarifying that it was not a Firefox specific issue, and the update will be in Firefox 8 and Firefox 3.6.24. Mozilla said the issue was reported to it by Entrust.

Firefox 3.6.24 is scheduled for release on Nov. 8 while Firefox 8 will release on Nov. 17, according to Mozilla.

Microsoft will revoke trust in Digicert Malaysia in an update to be released through Windows Update. said Jerry Bryant, group manager, response communications for Trustworthy Computing at the company, in a blog post.

"There is no indication that any certificates were issued fraudulently, however, these weak keys have allowed some of the certificates to be compromised," Bryant said. The compromised certificates could allow an attacker to impersonate the legitimate owner thus making the user believe they are trusting a website or signed software that was created for malicious use, he added.

There is no evidence that the Digicert Malaysia certificate authorities have been compromised, Entrust said.

Close to 300,000 unique IP addresses from Iran requested access to google.com using a rogue certificate issued by Dutch CA DigiNotar, according to a report released in September by security firm, Fox-IT. A total of 531 digital certificates were issued for domains that included google.com, the CIA, and Israel's Mossad, after a security breach.

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: CA Technologies, Entrust, Microsoft, Mozilla, RSA
References show all

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: DigiCert, Entrust, Microsoft, mozilla, security
Latest Blog Posts
Whitepapers
  • Web 2.0 in the Workplace Today
    More than a decade after the term ‘Web 2.0’ was coined, many businesses are still nowhere near to taking full advantage of the collaborative technologies the term refers to. Undoubtedly, confidence is growing in relation to using tools such as Facebook, Skype, Twitter, and indeed many more organisations are using such technology now compared to even just a couple of years ago. But the fact remains that a worrying amount of businesses seem to be operating a ‘lockdown’ approach – an approach that I’m sure many Board-level staff know is simply not good for business in the long-term.
    Learn more »
  • Why Encrypt? Securing Email without compromising communications.
    Encryption is a vital component of any DLP strategy. It allows businesses to exchange sensitive information without compromising on security; even if data is intercepted, encryption makes it unreadable and renders it tamper-proof. Read on.
    Learn more »
  • Agile: Transforming small-team thinking into big business results
    Agile is fast becoming the development method of choice for many Australian businesses. This whitepaper discusses key trends and best practices for scaling agile within complex organisations.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.