Mozilla and Microsoft said Thursday they are revoking trust in all certificates issued by Digicert, a Malaysian intermediate certificate authority, after it was found that it had issued 22 certificates with weak 512 bit keys and missing certificate extensions and revocation information.
The Malaysian company was issued an intermediate CA certificate in July, 2010 by Entrust, which was licensed for distribution with SSL (Secure Sockets Layer) and S/MIME (Secure/Multipurpose Internet Mail Extensions) certificates.
Entrust said in a bulletin on its website that it had been discovered that Digicert Malaysia has issued certificates with weak 512 bit RSA keys and missing certificate extensions. Entrust has revoked the 512 bit certificates issued by Digicert and made them available to major browser vendors to blacklist if found appropriate, it added.
Digicert in Malaysia does not have any relationship with the US-based DigiCert authority.
Digicert Malaysia could not be immediately reached for comment. It said on its website that it is at the centre of an effective trust model that the Malaysian government is creating to address the issue of information security, and the negative perception about online transactions. The company said it was licensed by the Malaysia government, and its "trust solutions are legally recognised under Malaysian law."
Entrust said it will revoke the intermediate CA certificate on or before Tuesday, to give Digicert Malaysia's customers a "modest amount of time" to replace their SSL server certificates. Entrust has meanwhile made the intermediate certificate available to the browser vendors for blacklisting.
The certificates in question were issued to a mix of Malaysian government websites and internal systems, Mozilla said in its security blog. "We do not believe other sites are at risk," it added.
Mozilla is revoking trust in all certificates issued by Digicert in Malaysia, while clarifying that it was not a Firefox specific issue, and the update will be in Firefox 8 and Firefox 3.6.24. Mozilla said the issue was reported to it by Entrust.
Firefox 3.6.24 is scheduled for release on November 8 while Firefox 8 will release on November 17, according to Mozilla.
Microsoft will revoke trust in Digicert Malaysia in an update to be released through Windows Update, said Jerry Bryant, group manager of response communications for Trustworthy Computing at the company, in a blog post.
"There is no indication that any certificates were issued fraudulently, however, these weak keys have allowed some of the certificates to be compromised," Bryant said. The compromised certificates could allow an attacker to impersonate the legitimate owner thus making the user believe they are trusting a website or signed software that was created for malicious use, he added.
Google is blocking serial numbers that correspond to the 22 certificates. As a larger measure, it plans to block the Digicert certificate by Tuesday, the date also decided upon by Entrust.
There is no evidence that the Digicert Malaysia certificate authorities have been compromised, Entrust said.