Mozilla, Microsoft withdraw trust in Malaysian intermediate CA

The move follows a bulletin by Entrust which issued the intermediate certificate to the Malaysian company

Mozilla and Microsoft said Thursday they are revoking trust in all certificates issued by Digicert, a Malaysian intermediate certificate authority (CA) , after it was found that it had issued 22 certificates with weak 512-bit keys and missing certificate extensions and revocation information.

The Malaysian company was issued an intermediate CA certificate in July, 2010 by Entrust in Dallas, Texas, which was licensed for distribution with SSL (Secure Sockets Layer) and S/MIME (Secure/Multipurpose Internet Mail Extensions) certificates.

Entrust said in a bulletin on its website that it had been discovered that Digicert Malaysia has issued certificates with weak 512-bit RSA keys and missing certificate extensions. Entrust has revoked the 512-bit certificates issued by Digicert and made them available to major browser vendors to blacklist if found appropriate, it added.

Digicert in Malaysia does not have any relationship with DigiCert, a CA based in Utah.

Digicert in Malaysia could not be immediately reached for comment. It said on its website that it is at the center of an effective trust model that the Malaysian government is creating to address the issue of information security, and the negative perception about online transactions. The company said it was licensed by the Malaysia government, and its "trust solutions are legally recognized under Malaysian law".

Entrust said it will revoke the intermediate CA certificate on or before Tuesday, to give Digicert Malaysia's customers a "modest amount of time" to replace their SSL server certificates. Entrust has meanwhile made the intermediate certificate available to the browser vendors for blacklisting.

The certificates in question were issued to a mix of Malaysian government websites and internal systems, Mozilla said in its security blog. "We do not believe other sites are at risk," it added.

Mozilla is revoking trust in all certificates issued by Digicert in Malaysia, while clarifying that it was not a Firefox specific issue, and the update will be in Firefox 8 and Firefox 3.6.24. Mozilla said the issue was reported to it by Entrust.

Firefox 3.6.24 is scheduled for release on Nov. 8 while Firefox 8 will release on Nov. 17, according to Mozilla.

Microsoft will revoke trust in Digicert Malaysia in an update to be released through Windows Update. said Jerry Bryant, group manager, response communications for Trustworthy Computing at the company, in a blog post.

"There is no indication that any certificates were issued fraudulently, however, these weak keys have allowed some of the certificates to be compromised," Bryant said. The compromised certificates could allow an attacker to impersonate the legitimate owner thus making the user believe they are trusting a website or signed software that was created for malicious use, he added.

There is no evidence that the Digicert Malaysia certificate authorities have been compromised, Entrust said.

Close to 300,000 unique IP addresses from Iran requested access to using a rogue certificate issued by Dutch CA DigiNotar, according to a report released in September by security firm, Fox-IT. A total of 531 digital certificates were issued for domains that included, the CIA, and Israel's Mossad, after a security breach.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags MicrosoftsecurityEntrustDigiCertmozilla

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

John Ribeiro

IDG News Service
Show Comments

Cool Tech

Crucial® BX200 SATA 2.5” 7mm (with 9.5mm adapter) Internal Solid State Drive

Learn more >

Lexar® Professional 1000x microSDHC™/microSDXC™ UHS-II cards

Learn more >

ASUS ROG Swift PG279Q – Reign beyond virtual world

Learn more >

D-Link PowerLine AV2 2000 Gigabit Network Kit

Learn more >

D-Link TAIPAN AC3200 Ultra Wi-Fi Modem Router (DSL-4320L)

Learn more >

Gadgets & Things

Lexar® Professional 1000x microSDHC™/microSDXC™ UHS-II cards

Learn more >


Learn more >

Lexar Professional 2000x SDHC™/SDXC™ UHS-II cards

Learn more >

Family Friendly

Lexar® Professional 1000x microSDHC™/microSDXC™ UHS-II cards

Learn more >

ASUS VivoPC VM62 - Incredibly Powerful, Unbelievably Small

Learn more >

Lexar Professional 2000x SDHC™/SDXC™ UHS-II cards

Learn more >

Stocking Stuffer

Lexar® Professional 1000x microSDHC™/microSDXC™ UHS-II cards

Learn more >

Lexar Professional 2000x SDHC™/SDXC™ UHS-II cards

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Best Deals on Good Gear Guide

Latest News Articles


GGG Evaluation Team

Kathy Cassidy


First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni


For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell


The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi


The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott


My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.


Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?