After the DigiNotar incident, it's the turn of a Malaysian CA to issue some dangerous certificates which may compromise the websites that utilize them.
According to Sophos
, DigiCert Sbn. Bhd
, which is unrelated to the US-based DigiCert, released 22 certificates for the Malaysian government, later turning out they were actually problematic.
The incident revealed a bundle of flaws in the certificates issued by the CA, one of the most important ones being the fact that they didn't contain an Extended Key Usage (EKU) which is utilized to inform the browser on what types of rights a digital certificate should have.
Another problem was related to the lack of revocation information, meaning that the certificates cannot be recalled in an unfortunate situation such as this one.
Entrust, the owner of DigiCert Sdn. Bhd, notified the parties involved and released a statement in which they revealed their plans to globally revoke the certificates of the affected company.
"It has been discovered that Digicert Malaysia has issued certificates with weak 512-bit RSA keys and missing certificate extensions. Their certificate issuing practices violated their agreement, their CPS, and accepted CA standards," reads their statement
"Entrust believes that security companies have a duty to take action when security incidents like this occur. Upon discovery of the issues with Digicert Malaysia certificates, Entrust took immediate steps to address the situation to ensure the security of Entrust customers and all Internet users."
If at first everyone believed that the rogue certificates were not used in any malicious campaigns, it later turned out that two of the authorizations issued by DigiCert Sdn. Bhd were deployed in a spear phishing attack against another Asian CA.
Fortunately, the attack was discovered quickly and the damage caused was reduced to a minimum.
As a result of the hack, Microsoft and Mozilla are working on removing the certificates from their trusted
lists. Others will probably soon follow.