Mozilla revokes 22 "compromised" SSL certificates

Weak keys affect all browsers in yet another trust hiccup.

Mozilla has revoked its trust for a Malaysian certificate authority that issued 22 Secure Sockets Layer certificates with 'weak keys', potentially making them available to spoof a legitimate website.

DigiCert, a Malaysian 'subordinate' of the certificate authorities Entrust and CyberTrust, had used "weak keys" and failed to specify the extensions for "extended key usage" used in instances where authentication is required.

"While there is no indication they were issued fraudulently, the weak keys have allowed the certificates to be compromised," said Mozilla's director of Firefox engineering, Jonathan Nightingale.

"An attacker could use one of these weak certificates to impersonate the legitimate owners."

They could also be used to disseminate malware by making malicious files appear to come from a legitimate source.

The certificates were issued to a mix of Malaysian government websites and "internal systems", according to Mozilla.

"We do not believe other sites are at risk," said Nightingale.

Besides Firefox, Internet Explorer, Chrome and Opera were also affected, said Nightingale.

The latest website certificate scare is yet another example of the challenges to the incumbent trust system the web relies on.

The certificates are supposed to indicate to a website visitor that a domain is the digital property of the company it purports to be from.

DigiCert (Sdn. Bhd) itself is a 'subordinate' CA to Entrust and Verizon's GTE CyberTrust, both widely used providers of Secure Sockets Layer (SSL) and Extended Validation (EV) SSL certificates to website operators.

The DigiCert scare follows the breach of systems at Dutch CA, DigiNotar, a subsidiary of US company Vasco.

An Iranian hacker used Diginotar's infrastructure to issue over 200 fraudulent certificates, putting hundreds of thousands of Iranian citizens at risk of spying by the country's government agencies.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Follow our new CSO Australia LinkedIn
Follow our new social and we'll keep you in the loop for exclusive events and all things security!
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags SSL CertificatesmozillaEntrustCybertrustJonathan NightingaleDigiCert

More about CA TechnologiesEntrustGTEMozillaVascoVerizonVerizon

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Brand Page

Stories by Liam Tung

Latest Videos

More videos

Blog Posts