Mozilla – the producers of the popular Firefox range of web browsers for multiple platforms – said that Entrust, a certificate authority in its root program, indicated its subordinate CA had issued 22 certificates with weak keys.
"Malaysian company DigiCert Sdn. Bhd, has issued 22 certificates with weak keys. While there is no indication they were issued fraudulently, the weak keys have allowed the certificates to be compromised", said Mozilla in its statement on the issue.
Mozilla said it is revoking trust in all certificates issued by DigiCert Sdn. Bhd. and the update has been included in Firefox 8, which was rolled out to users of the desktop browser this week.
Infosecurity notes that DigiCert Sdn. Bhd is a Malaysian firm that has no links with US-based DigiCert, Inc., which is a member of Mozilla’s root program. In addition, it appears that the certificates lack an EKU extension specifying their intended usage and they have been issued without revocation information.
Entrust says that it issued an intermediate CA certificate (cross certificate) to Digicert Malaysia which has been licensed for distribution with SSL and S/MIME certificates back in July of last year.
"It has been discovered that Digicert Malaysia has issued certificates with weak 512-bit RSA keys and missing certificate extensions. Their certificate issuing practices violated their agreement, their CPS, and accepted CA standards", notes Entrust's statement on the issue.
The moves by Mozilla – which have been mirrored by Microsoft – have been welcomed by digital certificate specialist Venafi, which has praised both companies for their prompt action, and added that lessons have clearly been learned from previous CA compromises and security management failures.
Jeff Hudson, Venafi's CEO, said that, while the move by the two IT majors has been prompt, it has still not stopped certificates from the Malaysian intermediate CA from reportedly being used to sign malware as part of a spear phishing attack against another Asian certificate authority.
Never in the history of the security industry has something that's happened once not happened again. With Digicert Malaysia joining the ranks of other CA failures, businesses and browser manufactures alike need to move past the shock and begin formulating recovery and business continuity plans. There will be more CA breaches in the future, and more users, companies and governments agencies will be impacted if the affected organizations don’t have actionable, recovery plans in place”, he explained.
“The fact is that CAs are a very juicy, high-value target – it's very easy to be critical of the Malaysian intermediate CA, but we don't know the full facts surrounding the case, and until we do, I don't think it is fair to speculate on the reasons – and possible failures – surrounding this latest CA problem”, he said.
“However, in spite of prompt action by Firefox and Microsoft, the challenge of ensuring that the Malaysian CA is now removed from all trust stores is going to be very time consuming and troublesome without effective certificate management tools”, he added.