Corporate Partners

Mozilla revokes 22 "compromised" SSL certificates

Weak keys affect all browsers in yet another trust hiccup.

Mozilla has revoked its trust for a Malaysian certificate authority that issued 22 Secure Sockets Layer certificates with 'weak keys', potentially making them available to spoof a legitimate website.

DigiCert, a Malaysian 'subordinate' of the certificate authorities Entrust and CyberTrust, had used "weak keys" and failed to specify the extensions for "extended key usage" used in instances where authentication is required.

"While there is no indication they were issued fraudulently, the weak keys have allowed the certificates to be compromised," said Mozilla's director of Firefox engineering, Jonathan Nightingale.

"An attacker could use one of these weak certificates to impersonate the legitimate owners."

They could also be used to disseminate malware by making malicious files appear to come from a legitimate source.

The certificates were issued to a mix of Malaysian government websites and "internal systems", according to Mozilla.

"We do not believe other sites are at risk," said Nightingale.

Besides Firefox, Internet Explorer, Chrome and Opera were also affected, said Nightingale.

The latest website certificate scare is yet another example of the challenges to the incumbent trust system the web relies on.

The certificates are supposed to indicate to a website visitor that a domain is the digital property of the company it purports to be from.

DigiCert (Sdn. Bhd) itself is a 'subordinate' CA to Entrust and Verizon's GTE CyberTrust, both widely used providers of Secure Sockets Layer (SSL) and Extended Validation (EV) SSL certificates to website operators.

The DigiCert scare follows the breach of systems at Dutch CA, DigiNotar, a subsidiary of US company Vasco.

An Iranian hacker used Diginotar's infrastructure to issue over 200 fraudulent certificates, putting hundreds of thousands of Iranian citizens at risk of spying by the country's government agencies.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Tags CybertrustJonathan NightingaleEntrustsecuritySSL CertificatesDigiCertmozilla

More about CA TechnologiesEntrustGTEMozillaVascoVerizonVerizon

3 Comments

Ramo

1

Correction in the last few paragraphs: The Iranian guy compromised DigiNotar, not DigiCert. DigiCert is what the rest of the article is about. that's a pretty significant mistake that you made - Twce!

--------------------------------------

http://www.security4noobs.com

CSO Publisher

Staff

2

I apologoise for this error and have made the changes to the article .

Allen

3

The article is a pretty cool stuff and I appreciate your acceptance in the flaws.

Comments are now closed

Market Place