Microsoft, Mozilla and Google have announced that they are revoking trust in Malaysia-based DigiCert Sdn. Bhd., an intermediate certificate authority authorized by well-known CA Entrust, following the issuing of 22 certificates with weak keys, lacking in usage extensions and revocation information.
“There is no indication that any certificates were issued fraudulently, however, these weak keys have allowed some of the certificates to be compromised,” wrote Jerry Bryant of Microsoft’s Trustworthy Computing. “These compromised certificates could allow an attacker to impersonate the legitimate owner and make a user believe they are trusting a website or signed software that was created for malicious use. The subordinate CA has clearly demonstrated poor CA security practices and Microsoft intends to revoke trust in the intermediate certificates.”
Both Mozilla and Microsoft made sure to note that there is no relationship between DigiCert Malaysia and Utah-based DigiCert Inc., which is a member of the Windows Root Certificate Program and Mozilla’s root program.
“It has been discovered that Digicert Malaysia has issued certificates with weak 512-bit RSA keys and missing certificate extensions. Their certificate issuing practices violated their agreement, their CPS, and accepted CA standards,” stated Entrust on its website, and announced that the company will revoke DigiCert Malaysia’s certificate on or before November 8th (Tuesday). The date has been chosen to give its customers enough time to replace their SSL server certificates.
“The certificates in question were issued to a mix of Malaysian government websites and internal systems. We do not believe other sites are at risk,” commented Mozilla.
But, not everything is as simple as it seems at first glance.
“I have been contacted by Entrust who say that two of the certificates issued by the Malaysian DigiCert Sdn. Bhd. were used to sign malware used in a spear phishing attack against another Asian certificate authority,” reports Sophos’ Chester Wisniewski. “This authority noticed the attack and was able to raise an alert.”
“Three other certificates were also involved, but were not issued by DigiCert Sdn. Bhd. This suggests we may be posting a follow-up soon about another certificate authority with similar issues, or a compromise.”
UPDATE: DigiCert Sdn. Bhd. has issued a statement saying that they “vehemently deny” any fraudulent act on their part. “Nevertheless, we are currently investigating what had prompted such allegations and we are treating this matter as our top priority,” said its CEO.