tqft's Journal: Certify the certs?

https://bugzilla.mozilla.org/show_bug.cgi?id=698753
"I suggest that in any public-facing communication we use something like "the Malaysian company DigiCert Sdn. Bhd.")

http://www.digicert.com.my/

According to Entrust, they are fairly well known in the region, having several government customers, including the central bank.

Entrust has discovered that this subCA has been operating in contravention of a) their contract with Entrust, b) their own CPS, and c) CA good practice, in at least 3 ways:

1) They have issued at least 12 certificates, which are currently valid, using 512-bit
      RSA keys.
2) Even though Entrust's agreement covers only SSL, many, if not all, of their certs have
      no EKU (so can be used for anything, including code signing)
3) There are no revocation pointers of any kind in many (probably all) of their
      certificates.

This issue came to light because the private key for (at least) one of the 512bit keys has been obtained by an attacker (probably by reverse-engineering; 512bit RSA is no longer secure), and used to sign malware. This malware was then used in a (noticed) spear-phishing attack on the Asia Pacific office of another CA."

I should be in the air in 24h and be offline for about a week - be careful out there

512 bit RSA? Really?!

[rk]

Holy cow, that was considered *barely* secure 15 years ago.

Re:

[tqft]

Not commenting on it just bringing it to peoples attention and what is being done about it