Mozilla revokes 22 "compromised" SSL certificates

Weak keys affect all browsers in yet another trust hiccup.

Mozilla has revoked its trust for a Malaysian certificate authority that issued 22 Secure Sockets Layer certificates with 'weak keys', potentially making them available to spoof a legitimate website.

DigiCert, a Malaysian 'subordinate' of the certificate authorities Entrust and CyberTrust, had used "weak keys" and failed to specify the extensions for "extended key usage" used in instances where authentication is required.

"While there is no indication they were issued fraudulently, the weak keys have allowed the certificates to be compromised," said Mozilla's director of Firefox engineering, Jonathan Nightingale.

"An attacker could use one of these weak certificates to impersonate the legitimate owners."

They could also be used to disseminate malware by making malicious files appear to come from a legitimate source.

The certificates were issued to a mix of Malaysian government websites and "internal systems", according to Mozilla.

"We do not believe other sites are at risk," said Nightingale.

Besides Firefox, Internet Explorer, Chrome and Opera were also affected, said Nightingale.

The latest website certificate scare is yet another example of the challenges to the incumbent trust system the web relies on.

The certificates are supposed to indicate to a website visitor that a domain is the digital property of the company it purports to be from.

DigiCert (Sdn. Bhd) itself is a 'subordinate' CA to Entrust and Verizon's GTE CyberTrust, both widely used providers of Secure Sockets Layer (SSL) and Extended Validation (EV) SSL certificates to website operators.

The DigiCert scare follows the breach of systems at Dutch CA, DigiNotar, a subsidiary of US company Vasco.

An Iranian hacker used Diginotar's infrastructure to issue over 200 fraudulent certificates, putting hundreds of thousands of Iranian citizens at risk of spying by the country's government agencies.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Tags CybertrustJonathan NightingaleEntrustsecuritySSL CertificatesDigiCertmozilla

3 Comments

Ramo

1

Correction in the last few paragraphs: The Iranian guy compromised DigiNotar, not DigiCert. DigiCert is what the rest of the article is about. that's a pretty significant mistake that you made - Twce!

--------------------------------------

http://www.security4noobs.com

CSO Publisher

Staff

2

I apologoise for this error and have made the changes to the article .

Allen

3

The article is a pretty cool stuff and I appreciate your acceptance in the flaws.

Comments are now closed

CSO Corporate Partners
  • f5
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

SECURE Email Gateway

Clearswift SECURE Email Gateway is an effective and resilient email gateway for 50 to 50,000 users.

Latest Jobs
Security Awareness Tip
Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.