Mozilla revokes 22 "compromised" SSL certificates
- — 04 November, 2011 09:41
Mozilla has revoked its trust for a Malaysian certificate authority that issued 22 Secure Sockets Layer certificates with 'weak keys', potentially making them available to spoof a legitimate website.
DigiCert, a Malaysian 'subordinate' of the certificate authorities Entrust and CyberTrust, had used "weak keys" and failed to specify the extensions for "extended key usage" used in instances where authentication is required.
"While there is no indication they were issued fraudulently, the weak keys have allowed the certificates to be compromised," said Mozilla's director of Firefox engineering, Jonathan Nightingale.
"An attacker could use one of these weak certificates to impersonate the legitimate owners."
They could also be used to disseminate malware by making malicious files appear to come from a legitimate source.
The certificates were issued to a mix of Malaysian government websites and "internal systems", according to Mozilla.
"We do not believe other sites are at risk," said Nightingale.
Besides Firefox, Internet Explorer, Chrome and Opera were also affected, said Nightingale.
The latest website certificate scare is yet another example of the challenges to the incumbent trust system the web relies on.
The certificates are supposed to indicate to a website visitor that a domain is the digital property of the company it purports to be from.
DigiCert (Sdn. Bhd) itself is a 'subordinate' CA to Entrust and Verizon's GTE CyberTrust, both widely used providers of Secure Sockets Layer (SSL) and Extended Validation (EV) SSL certificates to website operators.
The DigiCert scare follows the breach of systems at Dutch CA, DigiNotar, a subsidiary of US company Vasco.
An Iranian hacker used Diginotar's infrastructure to issue over 200 fraudulent certificates, putting hundreds of thousands of Iranian citizens at risk of spying by the country's government agencies.