Another certificate authority issues dangerous certficates

Void stampNote: This story has been updated with commentary from Entrust at the bottom.

Mozilla has announced they are revoking another intermediate signing certificate used by a registrar in Malaysia, DigiCert Sdn. Bhd.

According to the post, DigiCert Sdn. Bhd. (not to be confused with US based DigiCert) had issued 22 weak certificates (RSA 512) to the Malaysian government that could lead to abuse or compromise.

To date they do not appear to have been used fraudulently, but the possibility exists for these certificates to be abused.

Another problem is that DigiCert Sdn. Bhd. had been issuing certificates that did not contain what is called an EKU (Extended Key Usage).

EKUs are used to tell your browser what type of rights a digital certificate should have. Is it a client certificate, a server certificate or root signing certificate?

DigiCert Malaysia logoThe certificates issued by this CA (Certificate Authority) also lacked revocation information. That means in a situation like this these certificates cannot be recalled.

As a result Mozilla decided to remove the signing certificate for DigiCert Sdn. Bhd. from Firefox’s trusted root certificate list because of lack of confidence in their business practices.

DigiCert Sdn. Bhd. was a subordinate CA of Entrust (who notified Mozilla of the issue) and Verizon (GTE CyberTrust).

Entrust has made a statement that they will be globally revoking DigiCert Sdn. Bhd.’s signing certificates on or before November 8, 2011, allowing time for their customers to acquire valid replacement certificates.

Entrust also stated:

“Entrust believes that security companies have a duty to take action when security incidents like this occur. Upon discovery of the issues with Digicert Malaysia certificates, Entrust took immediate steps to address the situation to ensure the security of Entrust customers and all Internet users.”

That’s nice, but why are the root certificate authorities not performing proper audits to stop their subordinates from behaving badly to begin with?

It looks like we may have nipped this one in the bud, but I am sure it will not be the last time our misplaced trust in the digital certificate system will be abused.

Update: I have been contacted by Entrust who say that two of the certificates issued by the Malaysian DigiCert Sdn. Bhd. were used to sign malware used in a spear phishing attack against another Asian certificate authority. This authority noticed the attack and was able to raise an alert.

Three other certificates were also involved, but were not issued by DigiCert Sdn. Bhd. This suggests we may be posting a follow-up soon about another certificate authority with similar issues, or a compromise.

Entrust responded to my concerns regarding their audit requirements. Their spokesperson stated:

“Regarding audit, we learned a big lesson with this one – trust, but confirm.”

They said that DigiCert Sdn. Bhd. had passed an audit to Malaysian government standards by a large global auditing firm, but were not in compliance.