Revoking Trust in DigiCert Sdn. Bhd Intermediate Certificate Authority

Johnathan Nightingale

12

Issue

Entrust, Inc., a certificate authority in Mozilla’s root program, has informed us that one of their subordinate CAs, the Malaysian company DigiCert Sdn. Bhd, has issued 22 certificates with weak keys. While there is no indication they were issued fraudulently, the weak keys have allowed the certificates to be compromised. Furthermore, certificates from this CA contain several technical issues. They lack an EKU extension specifying their intended usage and they have been issued without revocation information.

This is not a Firefox-specific issue. Nevertheless, given our concerns about the technical practices of this certificate authority, we intend to revoke trust in the DigiCert Sdn. Bhd. intermediate certificate authority.

DigiCert Sdn. Bhd is a Malaysian subordinate CA under Entrust and Verizon (GTE CyberTrust). It bears no affiliation whatsoever with the US-based corporation DigiCert, Inc., which is a member of Mozilla’s root program.

Impact

An attacker could use one of these weak certificates to impersonate the legitimate owners. This could deceive users into trusting websites or signed software appearing to originate from these owners, but actually containing malicious content or software. The certificates in question were issued to a mix of Malaysian government websites and internal systems. We do not believe other sites are at risk.

Status

Mozilla is revoking trust in all certificates issued by DigiCert Sdn. Bhd. and the update will be in Firefox 8 and Firefox 3.6.24. Entrust has issued their own statement on the subject.

Credit

The issue was reported to us by Entrust, Inc.

Note: A member of the Mozilla community has translated this blog post into Malay.

12 responses

  1. Tom Womack wrote on :

    That seems rather drastic, since as far as I can see Digicert Sdn Bhd is quite thoroughly tied in with the Malaysian identity-card and online governing program – though that appears to be run mostly through Windows software and probably the revocation of keys for websites by Mozilla shouldn’t be too problematic.

  2. Myles wrote on :

    Tom – It’s not just Mozilla, the owner (Entrust) is revoking the intermediate CA certificate for DigiCert Malaysia.

    Glad to see that some bad actors are being shut down reasonably quickly these days.

  3. Bart Mensinger wrote on ::

    Thanks for clarifying the non-affiliation between DigiCert Inc and Digicert Sdn Bhd. So far all of the posts on the issue have been good to include that.

    Official DigiCert Inc response – http://www.digicert.com/news/2011-11-1-breaches-and-similar-names.htm

  4. Neo wrote on :

    Maybe this makes sure governments pay more attention to the practises of the CAs they choose for their contracts. This is at least the second CA (the other being DigiNotar) in a short time span where such practises became public. Both CAs were involved in government contracts.

  5. Travis Tidball wrote on :

    From the article: “While there is no indication they were issued fraudulently, the weak keys have allowed the certificates to be compromised.”

    Even though they weren’t issued fraudulently, they were certainly issued against industry standards & NIST recommendations. They didn’t follow approved guidelines, and now the certificates are no longer trusted. This is a case where the CA system works and, along with browsers, is helping to prevent what could be a major issue.

  6. Mark wrote on :

    Does this mean that Digicert’s is no longer trusted or they just have to re-issue the certs (and follow industry standards) and things will be ok again?

  7. web design company wrote on ::

    a certificate for Mozilla.com without having to go through any validation or verify that he was authorized to order the certificate. He also did this for his own domain, startcom.org, without having to do any validation.

  8. Mary wrote on :

    How come in every browser (including ancient IE6) I can no longer access https://utmshare.utm.my/ EXCEPT Fx? I get warnings about a revoked cert on IE8, IE6, Iron 13.0.800.1, Opera 10.62 and Opera 11.52 but on Fx I can access the site with no problems and Fx says the cert is fine!

    “Intend to revoke” FOUR DAYS FROM NOW AND ONLY FOR FX8 (or 3.6) is too little too late. Unsupported versions of all other browsers are showing warnings and not allowing access. I use Fx4. I do not wish to upgrade Fx at this time and am a little more than irritated that Mozilla alone of all browser makers is forcing upgrade if I want to be protected on this issue.

    Travis, Mark read https://bugzilla.mozilla.org/show_bug.cgi?id=698753.

  9. Gervase Markham wrote on ::

    Mark: the former.

    It means that DigiCert Malaysia (again, note no connection with DigiCert Inc. in the USA) will no longer have the capability to issue certificates trusted by the major browsers. In order to regain that capability they will either have to develop a relationship with an existing CA as they have in the past (and I suspect that CA would want strong evidence of great improvement) or go through the process to get a root of theirs included in each browser, which takes a long time, and about which difficult questions would also be asked.

  10. Ken Bretschneider wrote on ::

    Mark to clarify, they’re revoking trust with DigiCert Sdn Bhd (Malaysia) – not affiliated with U.S.A based CA DigiCert, Inc. who for example secures Facebook.

  11. Tobias Kastner wrote on :

    I cannot find something about this topic either in the release notes of Firefox 8 (http://www.mozilla.org/en-US/firefox/8.0/releasenotes/) nor in the list of Security Advisories for Firefox 8 (http://www.mozilla.org/security/known-vulnerabilities/firefox.html).

    Have you revoked the trust in all certificates issued by DigiCert Sdn. Bhd. with Firefox 8?

  12. ozel guvenlik sirketleri wrote on ::

    Entrust certificate authorities have not been affected. Entrust continues to put security of its systems and customers first and will continue to monitor its policies and security parameters to ensure the security of Entrust issued digital certificates.

    Entrust believes that security companies have a duty to take action when security incidents like this occur. Upon discovery of the issues with Digicert Malaysia certificates, Entrust took immediate steps to address the situation to ensure the security of Entrust customers and all Internet users.