Mozilla, Microsoft Withdraw Trust in Malaysian Intermediate CA

By John Ribeiro, IDG News
PCWorld

Mozilla and Microsoft said Thursday they are revoking trust in all certificates issued by Digicert, a Malaysian intermediate certificate authority (CA) , after it was found that it had issued 22 certificates with weak 512-bit keys and missing certificate extensions and revocation information.

The Malaysian company was issued an intermediate CA certificate in July, 2010 by Entrust in Dallas, Texas, which was licensed for distribution with SSL (Secure Sockets Layer) and S/MIME (Secure/Multipurpose Internet Mail Extensions) certificates.

Entrust said in a bulletin on its website that it had been discovered that Digicert Malaysia has issued certificates with weak 512-bit RSA keys and missing certificate extensions. Entrust has revoked the 512-bit certificates issued by Digicert and made them available to major browser vendors to blacklist if found appropriate, it added.

Digicert in Malaysia does not have any relationship with DigiCert, a CA based in Utah.

Digicert in Malaysia could not be immediately reached for comment. It said on its website that it is at the center of an effective trust model that the Malaysian government is creating to address the issue of information security, and the negative perception about online transactions. The company said it was licensed by the Malaysia government, and its “trust solutions are legally recognized under Malaysian law”.

Entrust said it will revoke the intermediate CA certificate on or before Tuesday, to give Digicert Malaysia’s customers a “modest amount of time” to replace their SSL server certificates. Entrust has meanwhile made the intermediate certificate available to the browser vendors for blacklisting.

The certificates in question were issued to a mix of Malaysian government websites and internal systems, Mozilla said in its security blog. “We do not believe other sites are at risk,” it added.

Mozilla is revoking trust in all certificates issued by Digicert in Malaysia, while clarifying that it was not a Firefox specific issue, and the update will be in Firefox 8 and Firefox 3.6.24. Mozilla said the issue was reported to it by Entrust.

Firefox 3.6.24 is scheduled for release on Nov. 8 while Firefox 8 will release on Nov. 17, according to Mozilla.

Microsoft will revoke trust in Digicert Malaysia in an update to be released through Windows Update. said Jerry Bryant, group manager, response communications for Trustworthy Computing at the company, in a blog post.

“There is no indication that any certificates were issued fraudulently, however, these weak keys have allowed some of the certificates to be compromised,” Bryant said. The compromised certificates could allow an attacker to impersonate the legitimate owner thus making the user believe they are trusting a website or signed software that was created for malicious use, he added.

There is no evidence that the Digicert Malaysia certificate authorities have been compromised, Entrust said.

Close to 300,000 unique IP addresses from Iran requested access to google.com using a rogue certificate issued by Dutch CA DigiNotar, according to a report released in September by security firm, Fox-IT. A total of 531 digital certificates were issued for domains that included google.com, the CIA, and Israel’s Mossad, after a security breach.

CategoriesIT

19 Replies to “Mozilla, Microsoft Withdraw Trust in Malaysian Intermediate CA”

  1. Ha! Ha! Ha! Malaysia Boleh! this may be akin to a professional body which used to be regarded with some respects in the transport industry. Its standard of expections was high enough to see some 60% passes among the students. To oblige the recognition of the Malaysian Gomen, it then allowed a Bumiputra Institution to take over the local examination! Presto! every student seems to be able to pass provuded the fee is paid to a private institution whose self-proclaimed expertise allowed him to be bestowed a fellowship of the Insitute. To make the story short, the International body finally suspended the local chapter the right to conduct any examination! Reason, simple enough, you pay you pass! hence, one can understand the mind-set on creating As in all local examinations; and somehow these A-students seemed unable to achieve much at international level! Yes. some one said: shiok sendiri syndrome has permeated through our DNA! In every aspect of our endeavour, we seem to believe the rest of the world is stupid enough for our bluff with our imagination of Malaysia Boleh!

  2. This is a blow. Digicert Malaysia Malaysia, an associate company of Pos Malaysia and MIMOS Berhad provides trust solutions for e-businesses and e-government initiatives. Now it is accused by Mozilla and Microsoft of issuing 22 digital certificates with weak 512-bit keys that did not contain Extended key Usage essential to tell browser what type of rights a digital certificate should have and revocation information resulting in trust in these digital certificates being revoked. This goes to the issue to human capital here & value system – whether we keep up to World’s standards of excellence and professionalism. But how could we when we are subject to critical constraint that meritocracy takes back seat to race specific socio/economic re-engineering???

  3. When Parliament passed the Digital Signature Act 1997 Malaysia was touted as among the first countries in Asia to formulate laws governing the use and application of digital signatures as a means to propel the country into the digital economy. The Act says that a document signed with a digital signature shall be as legally binding as one signed with a handwritten signature, a thumb print or any other appropriate mark. Digital signatures, secured against forgery through the use of cryptography and which tie an entity to the document digitally signed by it are inextricably linked to integrity of digital certificates standing behind and supporting these digital signatures. How will Mozilla and Microsoft’s revoking of trust in all certificates issued by the Malaysian Digicert affect the status and perception of authenticity of these e-signatures in documents signed by digital signatures already transmitted via computer networks?

  4. This is the price to pay for a country beset with brain drain problems where the knowledgeable and talented left for greener pastures leaving behind the mediocre to do the work. And yet, the government still did not see the gravity of the problem.

  5. Welcome to the world of Bolehland where any trust created cannot be trusted. Is this tantamount to a no vote of confidence to anything made in Bolehland as long as principles, integrity and honesty are compromised?

  6. That’s what one calls ‘egg in the face’.

    To digress a bit: The most recent World Solar Challenge has ended with the two Malaysian Teams ranked in exactly the two last positions, when one excludes another team whose car went up in flames.
    It is very high time we address these types of shortcomings. We do not do that yet. We do not do any postmortem on items like that.

    Instead, we state ” some events that affected the team and car here could not be avoided.” What does that mean? It says ‘we did everything right, we did make no mistakes, it was fate that we could not be better placed’; doesn’t it?

    Also, look at the name of the original undertaking: Digicert Sdn Bhd
    Use Google with the search term “Digicert” and the first hit is
    “DigiCert Sdn not DigiCert | digicert.com
    http://www.digicert.com/NameConfusion
    It says
    “We (DigiCert, Inc.) are not affiliated in any way with Digicert Sdn Bhd, and our customers have not been and will not be affected by this issue.”

    Why do we try so hard to sail in the shadow of a successful (and competent) enterprise? The real Digicert could even sue us (our government).

  7. So what happened umno? Have you been demanding for certs from digicert malaysia with excessively long validity periods? In malaysia umno boleh but in this globaql village ‘umno boleh’ is a liability and an embarassment.

  8. Now, you know as to why they do not like English to be taught in schools! They will be exposed! They really prefer to ‘bluff’ the locals with their version of ‘Super-standard’ in creating As everywhere but dare not enter international competition where our standards will be exposed! Since our SPM has produced thousands of As, let’s prepare our students for a more equitable benchmarking: the PISA test! This test should give us an inkling of our Standard; whether world class or just merely for ” Syiok sendiri”!

  9. Using Firefox 8.0 and latest version of Chrome, you can no longer load Jaring’s SelfCare site. The SelfCare site is needed to manage your Jaring account, including to top-up your credit. I hope Jaring is paying attention and not be like Digicert Sdn Bhd.

  10. – ————————————————————————-
    Debian Security Advisory DSA-2343-1 [email protected]
    http://www.debian.org/security/ Raphael Geissert
    November 09, 2011 http://www.debian.org/security/faq
    – ————————————————————————-

    Package : openssl
    Vulnerability : CA trust revocation
    Problem type : remote
    Debian-specific: no

    Several weak certificates were issued by Malaysian intermediate CA “Digicert Sdn. Bhd.” This event, along with other issues, has lead to Entrust Inc. and Verizon Cybertrust to revoke the CA’s cross-signedcertificates.

    This update to OpenSSL, a Secure Sockets Layer toolkit, reflects this decision by marking Digicert Sdn. Bhd.’s certificates as revoked.

    For the oldstable distribution (lenny), this problem has been fixed in version 0.9.8g-15+lenny14.

    For the stable distribution (squeeze), this problem has been fixed in version 0.9.8o-4squeeze4.

    For the testing distribution (wheezy), this problem will be fixed soon.

    For the unstable distribution (sid), this problem has been fixed in version 1.0.0e-2.1.

    We recommend that you upgrade your openssl packages.

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/

Leave a Reply