Jump to content


Photo

Browsers Revoking Trust- DigiCert Sdn. Bhd


  • Please log in to reply
1 reply to this topic

#1 Chachazz

Chachazz

    Is GSF inventory

  • General Admin
  • 36,503 posts

Posted 04 November 2011 - 12:51 AM

Mozilla Security: Revoking Trust in DigiCert Sdn. Bhd
2011-11-03 by Johnathan Nightingale at 10:56:45 via Planet Mozilla

Issue
Entrust, Inc., a certificate authority in Mozilla?s root program, has informed us that one of their subordinate CAs, the Malaysian company DigiCert Sdn. Bhd, has issued 22 certificates with weak keys. While there is no indication they were issued fraudulently, the weak keys have allowed the certificates to be compromised. Furthermore, certificates from this CA contain several technical issues. They lack an EKU extension specifying their intended usage and they have been issued without revocation information.

This is not a Firefox-specific issue. Nevertheless, given our concerns about the technical practices of this certificate authority, we intend to revoke trust in the DigiCert Sdn. Bhd. intermediate certificate authority.

DigiCert Sdn. Bhd is a Malaysian subordinate CA under Entrust and Verizon (GTE CyberTrust). It bears no affiliation whatsoever with the US-based corporation DigiCert, Inc., which is a member of Mozilla?s root program.

Impact
An attacker could use one of these weak certificates to impersonate the legitimate owners. This could deceive users into trusting websites or signed software appearing to originate from these owners, but actually containing malicious content or software. The certificates in question were issued to a mix of Malaysian government websites and internal systems. We do not believe other sites are at risk.

Status
Mozilla is revoking trust in all certificates issued by DigiCert Sdn. Bhd. and the update will be in Firefox 8 and Firefox 3.6.24. Entrust has issued their own statement on the subject.

Credit
The issue was reported to us by Entrust, Inc.

Mozilla Security Blog
http://blog.mozilla....cate-authority/

#2 Chachazz

Chachazz

    Is GSF inventory

  • General Admin
  • 36,503 posts

Posted 04 November 2011 - 01:29 AM

Microsoft will revoke trust also:
http://blogs.technet...be-updated.aspx