Sophos Cloud Optix
Note: This story has been updated with commentary from Entrust at the bottom.
Mozilla has announced they are revoking another intermediate signing certificate used by a registrar in Malaysia, DigiCert Sdn. Bhd.
According to the post, DigiCert Sdn. Bhd. (not to be confused with US based DigiCert) had issued 22 weak certificates (RSA 512) to the Malaysian government that could lead to abuse or compromise.
To date they do not appear to have been used fraudulently, but the possibility exists for these certificates to be abused.
Another problem is that DigiCert Sdn. Bhd. had been issuing certificates that did not contain what is called an EKU (Extended Key Usage).
EKUs are used to tell your browser what type of rights a digital certificate should have. Is it a client certificate, a server certificate or root signing certificate?
The certificates issued by this CA (Certificate Authority) also lacked revocation information. That means in a situation like this these certificates cannot be recalled.
As a result Mozilla decided to remove the signing certificate for DigiCert Sdn. Bhd. from Firefox’s trusted root certificate list because of lack of confidence in their business practices.
DigiCert Sdn. Bhd. was a subordinate CA of Entrust (who notified Mozilla of the issue) and Verizon (GTE CyberTrust).
Entrust has made a statement that they will be globally revoking DigiCert Sdn. Bhd.’s signing certificates on or before November 8, 2011, allowing time for their customers to acquire valid replacement certificates.
Entrust also stated:
“Entrust believes that security companies have a duty to take action when security incidents like this occur. Upon discovery of the issues with Digicert Malaysia certificates, Entrust took immediate steps to address the situation to ensure the security of Entrust customers and all Internet users.”
That’s nice, but why are the root certificate authorities not performing proper audits to stop their subordinates from behaving badly to begin with?
It looks like we may have nipped this one in the bud, but I am sure it will not be the last time our misplaced trust in the digital certificate system will be abused.
Update: I have been contacted by Entrust who say that two of the certificates issued by the Malaysian DigiCert Sdn. Bhd. were used to sign malware used in a spear phishing attack against another Asian certificate authority. This authority noticed the attack and was able to raise an alert.
Three other certificates were also involved, but were not issued by DigiCert Sdn. Bhd. This suggests we may be posting a follow-up soon about another certificate authority with similar issues, or a compromise.
Entrust responded to my concerns regarding their audit requirements. Their spokesperson stated:
“Regarding audit, we learned a big lesson with this one – trust, but confirm.”
They said that DigiCert Sdn. Bhd. had passed an audit to Malaysian government standards by a large global auditing firm, but were not in compliance.
certificate notaries are looking better and better…..
Hey Chester,
I'd like to thank you on behalf of DigiCert (Inc) for the way that you've handled this issue, which I think you can imagine, is quite a touchy one for our company. We've had quite a few panicked customers contact us in the last few hours because of something they saw on twitter (or wherever) that wasn't as descriptive as it could have been considering the circumstances.
For those interested in our official response to the issue – http://www.digicert.com/news/2011-11-1-breaches-a…
This is a case where the Certificate Authority system is working exactly the way it should… Industry guidelines & requirements weren't followed so the certificates are revoked, preventing what could have been a big issue.
Sure the certificates shouldn't have been issued in the first place, but there is a system in place to help mitigate and prevent potential damage. For all the bad news about CA's that was published in the last few months, I chalk this one up to being on the good side.
There are only two Certificate Authorities in Malaysia where DigiCert Sdn Bhd is to be one of them. If the issue ended up like DigiNotar's conclusion, I believe it is going to be more difficult for CA business.
The whole foundation of trust in certificates is getting weaker by the day. I recently downloaded Network Monitor 3.4 from the Microsoft website and noticed that it's digital certificate was expired more than a year ago.
On the other hand, Windows 7 doesn't seem to have any qualms about running executables with expired digital certificates and doesn't even issue a warning. I have already noticed this on a few installers running with admin privileges whose certificates had been expired. Now here's the situation:
1- The trustworthiness of certificates is dwindling rapidly
2- Even companies like Microsoft don't keep the certificates of their software up to date
3- The most popular OS has a lax policy of controlling digital signatures of applications
Until companies get their own acts together how can they expect end users to exercise best practices, because it doesn't matter much even if they do.