Microsoft, Mozilla and Google Ban Malaysian Intermediate CA

Orome1 writes "Microsoft, Mozilla and Google have announced that they are revoking trust in Malaysia-based DigiCert, an intermediate certificate authority authorized by well-known CA Entrust, following the issuing of 22 certificates with weak keys, lacking in usage extensions and revocation information. 'There is no indication that any certificates were issued fraudulently, however, these weak keys have allowed some of the certificates to be compromised,' wrote Jerry Bryant of Microsoft's Trustworthy Computing."

I lol'd at the stock photo

Every article demands a picture, right.

Re:I lol'd at the stock photo

I have to make a complaint, about SERASA, a credit bureau in Brazil. This company is an irregular CA too, requiring those who wish to subscribe to their services, have both generated keys by SERASA, preventing the user has his own key part cryptographic generated by himself. This is illegal and this corrputed procedure adopted by SERASA compromise the security of cryptography in CA.

Re:I lol'd at the stock photo

Brazilian company SERASA - http://www.serasaexperian.com.br/ - its an irregular CA. This company forces costumers to accept both keys (customer and company) to be generated only by the company, and the costumer cannot generate your own key to share the trusted connection. I already denounce this irregular practice here but my comment was deleted :( I hope slashdot can help denounce this CA too.

Not related to the US Digicert

[swb]

It might have been nice to mention that in the article summary.

Re:Not related to the US Digicert

[XanC]

Oh my goodness, no kidding. How many admins need a defibrillator after reading that headline? I certainly thought for a few minutes that this story would direct my entire weekend.

Re:Not related to the US Digicert

[gmuslera]

In next days they probably will revoke other certification authorities with a similar names. This case was just the next step. Is a slow process and finding uppercase letters in the middle don't make things any faster.

Re:Not related to the US Digicert

The US one has an uppercase letter in the middle too. DigiCert.

Re:Not related to the US Digicert

[psydeshow]

It might have been nice to mention that in the article summary.

Indeed. From the article:

Both Mozilla and Microsoft made sure to note that there is no relationship between DigiCert Malaysia and Utah-based DigiCert Inc., which is a member of the Windows Root Certificate Program and Mozilla’s root program.

Whew!

Re:Not related to the US Digicert

i laughed out loud

Re:Now do the same for China

[e-berlin.org]

yeah, like it's going to happen... and anyway, leave Chinese alone, if it wasn't for them and the Russians i wouldn't be able to watch top gear's latest episodes on youku / rutube

Who generates 512-bit RSA keys these days?

[heypete]

RSA-512 has been known to be weak for a long time.

Who in their right mind would generate such a certificate for (presumably) a production system?

Why didn't the CA have some sort of system to detect such short keys?

The CA I use doesn't allow anything less than 2048-bits to be signed. While the policy may be a bit strict, as 1024-bit keys still have their uses (there's a lot of hardware that only deals with 1024-bit keys), at least they're erring on the side of caution. I'm sure they're not the only one with such a policy.

Re:Who generates 512-bit RSA keys these days?

[yuhong]

This is probably why they are revoking trust for the *entire CA*.

Re:Who generates 512-bit RSA keys these days?

[heypete]

Understood.

My main curiosity is why any administrator would generate 512-bit RSA keys for their own servers, knowing that they're weak.

I wonder if there's some old Malaysian-language "Guide to setting up SSL" website that they're following? I'd be curious if there's any commonality between all the 512-bit keys. That, or some particular software that has that keylength in the default configuration file.

Re:Who generates 512-bit RSA keys these days?

[makomk]

Which is a bit of an interesting decision, as it doesn't compromise anyone except the individuals foolish enough to generate insecure RSA keys and submit them, and there are numerous ways they could've screwed up their own security that the CA could never detect anyway. What's even more interesting is that they've allowed big-name CAs to remain as such despite them issuing fraudulently-obtained certificates corresponding to major websites. I think the size of this CA has a lot more to do with this than their actual bad policies.

Re:Who generates 512-bit RSA keys these days?

[hairyfeet]

Question: Not a crypto guy so my apologies if this sounds noobish but its just something I've been curious about. When I started out in the 80s i remember being told how strong 128bit was, followed by how strong 256bit, then 512bit, now you are saying anything less than 2048bit is shit, so my question is thus: How fast are we going through these things and with the frankly insane amounts of hardware that keep coming down the pipe is this gonna end up some sort of "bit race" between the white and black hats?

Because when I started out the thought of a machine that only weighed 3 pounds and gave you 6 hours away from an outlet yet gave you a better picture than the local movie theater and let you carry whole libraries worth of music and movies was something out of Sci-Fi yet now I have one sitting on my desk and it cost a whole $350. Now that we have OpenCL which looks like it even may replace CUDA (as Nvidia is now supporting it as well as ATI) we have the tech to load a box with a truly insane number of processors to tackle any math problem which I'm sure the black hats will be happy to jump on if they can make money with it.

so how long until 1024 and 2048 are as useless as the old 128 and 256 bit keys? How high of a number can we go to before the time to process it on an average machine makes it not worth the work? again sorry if this is obvious to a crypto guy because that is one field that is frankly over my head so this is just a question from a curious guy on the sidelines. Is there a number high enough to be uncrackable? or is it all just a matter of letting Moore's Law catch up?

Re:Who generates 512-bit RSA keys these days?

Different crypto systems use different key spaces and have different requirements.

RSA for example needs two prime numbers as a keypair, so while the key length might be 512 bit, there are actually not that many from those 2^512 numbers to choose from. Also, certain key values are prone to attacks.

AES on the other hand can use any number you want as a key, so even 128 bit key length is still very strong. Also, as opposed to RSA, there are no weak keys so far.

Re:Who generates 512-bit RSA keys these days?

Well, it actually could compromise others. In addition to the weak keys, the certs didn't have EKUs (Extended Key Usage) so the issued cert could be used as anything... in this case, signing malicious code. 512-bit keys is bad enough, but no EKUs is just plain stupid.

That's why I think this showcases the CA system doing exactly what it was meant to do. The malaysian company didn't follow established requirements, so their intermediate was revoked.

Re:Who generates 512-bit RSA keys these days?

[yuhong]

Except it doesn't, as the bad cert was also "missing certificate extensions", which means it can be used for any purpose after the private key is factored out, and indeed from one of the articles:

"I have been contacted by Entrust who say that two of the certificates issued by the Malaysian DigiCert Sdn. Bhd. were used to sign malware used in a spear phishing attack against another Asian certificate authority," reports Sophos' Chester Wisniewski.

Re:Who generates 512-bit RSA keys these days?

[falzer]

>RSA for example needs two prime numbers as a keypair, so while the key length might be 512 bit, there are actually not that many from those 2^512 numbers to choose from. Also, certain key values are prone to attacks.

How many is not that many? Bruce Schneier in Cryptography Engineering calculates that 1 in 1386 numbers in the 2^2000 bit range is prime. In the 2^512 range primes are even more frequent, according to prime counting estimates.

Re:Who generates 512-bit RSA keys these days?

[heypete]

That's a good question. I will attempt to answer it, with the caveat that I'm also not a crypto expert.

Most of the relatively shorter key lengths you see these days, such as 128-bit and 256-bit refer to symmetric encryption algorithms like AES. At this point in time, such keylengths are secure for the foreseeable future. These algorithms tend to be quite fast (AES has hardware-acceleration in many CPUs, which can encrypt or decrypt data at 1GB+/sec in some cases, and around 300MB/sec on many non-accelerated CPUs), but require that both parties exchanging encrypted data share the same key. (Hence the name "symmetric" -- the same key is used for encrypting and decrypting.)

The two parties could previous exchange a shared symmetric key by means of a trusted channel, like a trusted courier, or meeting in person. This can be extremely difficult in the real-world, though.

The longer-length keys you often see (1024-bit, 2048-bit, 4096-bit and, in the case mentioned in the article, the not-very-secure-at-all 512-bit length) are "asymmetric" keys -- when they're created, one creates a "public key" and a "private key" that are linked a certain mathematical way. The public key can be distributed widely, while the private key must be kept secret. If Alice wants to send Bob a secure message, she can encrypt it with Bob's public key, but the message can only be decrypted with Bob's private key -- even if someone intercepts the encrypted message and has Bob's public key, they are unable to decrypt it.

Asymmetric encryption is extremely slow, relative to symmetric encryption (I seem to recall reading that they're about a thousand times slower). Sending large amounts of data over secure connections would be extremely slow. Fortunately, modern cryptosystems use a hybrid model: they use asymmetric keys to exchange a shared secret key that is then used for faster symmetric encryption -- this allows for quick symmetric encryption methods to be used by solving the problem of exchanging the symmetric key without needing to meet in person.

SSL, for example, uses such a method. A simplified description follows: when your browser connects to a secure website the server sends you its public key (which has been digitally signed by a certificate authority who vouches for the identity of the server). Your browser checks the signature to make sure it's actually been issued by the authority and, if it checks out, creates a random symmetric key, encrypts it with the server's public key and sends it to the server. The server decrypts the symmetric key with its private key. Both client and server then encrypt all future communications with the symmetric key.

Because asymmetric and symmetric encryption keys use entirely different mathematical methods to secure data, their keylengths aren't directly comparable. According to NIST, a 3072-bit asymmetric key is about as strong as a 128-bit symmetric key.

See and for more details.

Re:Who generates 512-bit RSA keys these days?

[Lexx+Greatrex]

I am a cryptographic security researcher. I will give some background on this before answering your specific questions. Information security is subject to the same pressures as other forms of conflict. Such pressures are otherwise known as an "escalation", "arms race" or even as "evolution". Cryptography is one such armament in the information security arsenal; and while cryptography is subject to constant pressure of Moore's Law as you quite rightly assert; more cataclysmic changes can occur through leaps in either or both knowledge or capability. I can think of no better example of these notions than the Enigma machine; first developed in the early 1900's but made extensive use of by Germany during the second world war.

The first countermeasure used against Enigma was reverse-engineering. This lead to identification of weaknesses that whittled down the key size from a massive 380 bits to only just 76 bits. A one in 75,557,863,725,914,323,419,136 chance of randomly guessing (brute forcing) the correct key was still well beyond the resources of brute force at the time. This lead to the construction of the Bombe machine (a precursor to the computer) that could perform rapid searches through the keyspace for given known plaintexts and keys. Enigma was eventually broken through a combination of reverse-engineering, improvements in cryptanalytic techniques, improvements to computational power leading to faster brute force and the exploitation of systemic and human factor weaknesses. As a result, countermeasures to such attacks were developed such as the foundational principles of modern cryptography, developed by Claude Shannon in 1948.

How fast are we going through these things and with the frankly insane amounts of hardware that keep coming down the pipe is this gonna end up some sort of "bit race" between the white and black hats?

I am guessing that the speed of innovation is partly driven by necessity. There will be periods of relatively steady improvements on both sides of the fence like there has been over recent years; then like with Enigma, there will be periods where there are giant leaps forward in technology and knowledge. There most assuredly is a "bit race" and it will continue so long as there is conflict.

so how long until 1024 and 2048 are as useless as the old 128 and 256 bit keys?

Giant leaps of technology aside, our industry generally accepts conclusions made about minimum key-length for each cipher by NIST : http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf. In short:

For AES, 128 bits is the minimum acceptable key size with no timeframe on when 256 bits will be required (everyone assumes this will occur around 2015)
For RSA, 1024 bit keys are the minimum acceptable key size until 2013 when the minimum will be increased to 2048 bit

How high of a number can we go to before the time to process it on an average machine makes it not worth the work? Is there a number high enough to be uncrackable? or is it all just a matter of letting Moore's Law catch up?

Just like mechanical computers in the time of Enigma, current silicon-based computers are quickly reaching practical limits and Moore's law is starting to show signs of fatigue. But if it were to be built, a quantum supercomputer could be so powerful as to render all current key sizes useless. But even the fastest quantum computer will have a speed limit; and so should every newer and faster generation of computer; because all such things are constrained by the Universe's ultimate speed limit. So long as it takes longer to break a cipher without knowing the key than it does to transmit encrypted information using knowing the key, there will always be secrecy in numbers.

Re:Who generates 512-bit RSA keys these days?

[kermidge]

Thank you Pete and Lexx for explaining more stuff more succinctly than anything I've seen ere now.

Re:Who generates 512-bit RSA keys these days?

[owlstead]

That said, RSA is well known to not have key pairs that grow in security in a linear fashion compared with key length. EC fortunately has much better properties, although EC certainly has its own drawbacks. A 256 bit EC key has similar security to a 128 bit AES key (insofar as you can compare those) and 512 bit has about the same as 256 bit AES. You will quickly go to 16K RSA keys to accomplish a similar security level. Try and generate a 16K RSA key pair and do a few signings to see what that means. Try the same for a 512 brainpool curve (or 521 bit NIST), and you'll understand the difference quite clearly. Or better: do it the other way because the RSA key pair generation might take some time.

Re:Who generates 512-bit RSA keys these days?

[jrumney]

In addition to the weak keys, the certs didn't have EKUs (Extended Key Usage) so the issued cert could be used as anything...

That sounds like a problem that should be fixed by the browser makers, not by the CA. Why does the default have to be "everything", and not "nothing", or some minimum set of usages?

Re:Who generates 512-bit RSA keys these days?

[jonwil]

Except in this case its not the browser makers that would need to fix it, its companies like Microsoft who accept these certificates as valid for code signing when they were not explicitly marked with a "can be used for code signing" flag.

Re:Who generates 512-bit RSA keys these days?

[hairyfeet]

Thanks to you and Pete for explaining this subject in much closer to layman's terms than I've ever seen it tackled, it does make me think of a couple of follow up questions if you don't mind.

Since as you pointed out with Enigma (which IIRC there is still a handful of messages they still haven't cracked after all these years) there are gonna be advances coming down the pipe and that both AES 128 and RSA 1024 have expiration dates, wouldn't it be smarter to try to jump a little bit ahead of the curve? by that I mean wouldn't it be smarter to just go ahead and switch to 512 bit AES and 4096 RSA when the previous schema expires? Or is that too computationally expensive with current technology?

Which brings me to my second question: Back in the day we had math co-processors for seriously heavy number crunching and today thanks to HT on the AMD side and QP on the Intel side we once again have the ability to place a co-processor on a bus that is as fast as the CPU my second question is thus: Since from what Pete wrote (again not an expert, he may be wrong, I don't know) the majority of the key generation is being done on the server side wouldn't it be advantageous to use a "crypto co-processor" to allow much larger and thus stronger keys to be generated quicker and thus as you put it "leap ahead" in the bit race? I know Via has native crypto in their silicon and FPGAs allow one to build a custom chip easily but it just seems to me with so many black hats throwing so much power at the wall it would make sense to throw some specialized silicon at the problem instead of just more generic CPUs.

Again sorry if these are noob questions as I found out when trying to learn more about the subject that very quickly the math shot straight over my head, but these are two questions that as a layman I thought would be more of an obvious evolution, but of course I'm sure there is some hidden gotcha I'm missing which is why it isn't done.

Re:Who generates 512-bit RSA keys these days?

[Lexx+Greatrex]

Thanks to you and Pete for explaining this subject in much closer to layman's terms than I've ever seen it tackled, it does make me think of a couple of follow up questions if you don't mind.

Not at all, you questions are poignant and well-framed.

Since as you pointed out with Enigma (which IIRC there is still a handful of messages they still haven't cracked after all these years) there are gonna be advances coming down the pipe and that both AES 128 and RSA 1024 have expiration dates, wouldn't it be smarter to try to jump a little bit ahead of the curve?by that I mean wouldn't it be smarter to just go ahead and switch to 512 bit AES and 4096 RSA when the previous schema expires? Or is that too computationally expensive with current technology?

Yes, going too far beyond current standards is expensive. As you imply, when computational overhead is considered (particularly in terms of server hardware) the cost of supporting increased key lengths is significant. For ciphers that are embedded in hardware devices there is further pressure to reduce footprint and fabrication costs as well as motivation to build in some amount of redundancy. Economic pressure therefore acts to resist the urge to overstep the Moore curve too greatly.

Which brings me to my second question: Back in the day we had math co-processors for seriously heavy number crunching and today thanks to HT on the AMD side and QP on the Intel side we once again have the ability to place a co-processor on a bus that is as fast as the CPU my second question is thus: Since from what Pete wrote (again not an expert, he may be wrong, I don't know) the majority of the key generation is being done on the server side wouldn't it be advantageous to use a "crypto co-processor" to allow much larger and thus stronger keys to be generated quicker and thus as you put it "leap ahead" in the bit race? I know Via has native crypto in their silicon and FPGAs allow one to build a custom chip easily but it just seems to me with so many black hats throwing so much power at the wall it would make sense to throw some specialized silicon at the problem instead of just more generic CPUs.

Cryptoprocessors exist right now but they require specialist software, are expensive to fabricate and are costly or impractical to upgrade. Even if these problems were mitigated by mass production, Moore's law dictates that they will be rapidly outmoded by cheaper and faster generic chips of the near future. As such, custom hardware will only ever be economically viable for those wanting "military grade" security who also have a pentagon-grade budget to spend on it.

I'm sure there is some hidden gotcha I'm missing which is why it isn't done.

The hidden gotcha is that information security is not all about cryptography. In fact, ciphers like AES and RSA with currently approved key sizes are the most secure part of our information security infrastructure. Rather than trying to break ciphers, black hats are expert at finding the weakest part of a system and attacking that instead; such as finding out where a system stores its cryptographic keys; how to intercept secrets before they've been encrypted or after they've been decrypted; and even more rudimentary things that remain the most successful infiltration strategies to date: Password dictionaries, key-loggers and human factor attacks such as bold-faced asking people for their password.

Black hats are successful because people make bad choices when they design their security systems, when they write their policies, when they monitor and review their systems, when they train their staff and when they respond to incidents. Cryptography has advanced significantly since the days of Enigma but unfortunately human nature hasn't changed much at all.

Re:Who generates 512-bit RSA keys these days?

[hairyfeet]

Thanks for the response, i knew there had to be a gotcha I hadn't seen. and as a humble PC repairman I know all to well the weakest link is often not the hardware but the little meatsack in front of the keyboard. I had a teacher that was once giving a tour of a "secure server' farm and the BOFH kept going on and on about how their insane password schema made them 'hackproof" until the teacher finally got fed up and said "Tell you what, you let me loose in the place for 10 minutes and if I can't bring you a working password I'll give you $100 and buy you a steak dinner".

Well sure enough the BOFH took him up on it and in less than 10 minutes he came back with 5 passwords and user logins, including one of their master passwords that pretty much would let you pwn the whole thing. When the BOFH demanded to know how he did it, he just started walking down the aisles and flipping keyboards, sure enough passwords were sticky noted all over the place!

I guess I was just hoping security at the higher levels would be more of a technical issue than PEBKAC, but from reading your explanations I guess we all have to deal with the Forest Gumps of the world. I bet when you see some beautiful security system turned into a mess because of bad policies you feel like I do when i hand over some box i lovingly created only to have them turn it into a spyware/adware laden mess in less than a month, just like that scene in "History of The World part I" where the artist gets his work pissed on by the critic!

Re:Who generates 512-bit RSA keys these days?

[Lexx+Greatrex]

I bet when you see some beautiful security system turned into a mess because of bad policies you feel like I do when i hand over some box i lovingly created only to have them turn it into a spyware/adware laden mess in less than a month, just like that scene in "History of The World part I" where the artist gets his work pissed on by the critic!

Indeed. Apathy, ignorance and laziness are the greatest of all foe.

Re:Now do the same for China

[SharkLaser]

And while we're at it, revoke all rights from US to touch domain names. Shut down ICANN as it has constantly shown willingness to fuck over US and other nationals and US isn't shy to hijack domains belonging to other nationals.

Malaysia?

[slashfoxi]

This is more proof that Malaysia is not a real place. I mean look up some pictures of their subway or their big skyscrapers. Fake photoshopped renderings. Now think about where it is on a map. You can't. Because it isn't.

Re:Malaysia?

I have been to Malaysia. Can't explain that!

Re:Malaysia?

This is more proof that Malaysia is not a real place. I mean look up some pictures of their subway or their big skyscrapers. Fake photoshopped renderings. Now think about where it is on a map. You can't. Because it isn't.

The world's ranked no 1 Sqash Championship player is a Penang born Malaysian brilliant intelligent kid an still lives in a country called Malaysia ;). 2nd best player comes from Australia.

By the way, the twin tower is real - the pix in entrapment movie did not do any justice ;). There we're mixing with 2 different locations which was about 100km apart :D

Re:Now do the same for China

[X0563511]

Nothing prevents you from installing their certificate yourself if you don't agree with the decision.

That Malaysian DigiCert site is fun

[jayhawk88]

"DIGICERT is in the center of an effective trust model that the government is creating to address the issue of information security and the negative perception that has been painted in association with online transactions." *BREATH*

"Customers won't transact business at your website unless they are certain it's secure."

"The username and static password scheme has been widely used for verification online. Nevertheless, many have recognize this scheme as being obsolete as it can no longer be trusted to provide proper authentication online. There are countless of software distributed freely across the Internet that enables the cracking of passwords. There are also hundreds of web sites that displays 'Most Recently Hacked' passwords."

You can't really call it proper Engrish, but it's just a little off too.

Re:That Malaysian DigiCert site is fun

[IMightB]

My wife is Malay, and trust me they don't speak Engrish, they speak Manglish.

Re:I thought Linux was so secure slashdotters

[0123456]

I know! I posted my root password on my web site and some asshole hacked into it. And they told me Linux was secure! I'm switching to Windows!

Re:Now do the same for China

[tokul]

Given their ways of being against their own citizens

Lets replace "own citizens" with "foreign nationals" and blacklist USA.

Re:Now do the same for China

[Desler]

Why would they install the very certificates they want revoked?

Re:I thought Linux was so secure slashdotters

If you want a secure system think about AIX. You're dreaming if you think Windows or linux will keep your information secure.

Company name change request

[whtmarker]

Slashdot editors... please change the name of the company in the summary to "DigiCert Sdn. Bhd." which does identity card business, to avoid confusion with US based "DigiCert Inc".

DigiCert Inc is a major SSL CA used by Yahoo, Facebook and others.

Re:Now do the same for China

[X0563511]

Because you want to? Does it matter? The point is that you can - just like you can import your own CA.

Hello? Apple?

So... once again, Mozilla, MS and Google have dropped a certifier known to be signing weak certs to questionable customers, protecting everyone on the web except those who use Apple iOS devices, WebKit-backed Apple apps, and the Safari web browser.

I guess we can expect an update next month. This means a 1-month window of bank phishing campaigns actively targeting iOS (and likely Android) and Apple users.

Re:Now do the same for China

[Desler]

Because you want to what? He wants their certificates revoked he didn't want to install them. Is your reading comprehension that poor?

Re:Hello? Apple?

[Desler]

I hate to piss on your trolling but this CA is not a trusted authority in iOS.

Re:I thought Linux was so secure slashdotters

[X0563511]

Your OS can't help you if you do everything wrong anyway. You can get DOS up and exploitable if you're just the right sort of special (hint, if you miss it: DOS doesn't have a built-in network stack)

Re:Now do the same for China

[X0563511]

Apparently yours is that poor. His point is "well we might as well do X since we're already doing Y" meaning he disagrees with Y.

Censorship?

Will someone please explain if this effectively blocks ( censors ) certain sites on a defacto basis?

 

Re:Censorship?

[Desler]

No it doesn't. You can always reinstall the root cert if you want.

Re:I thought Linux was so secure slashdotters

[Korin43]

4/5 of the CA's recently breached run Linux:

http://uptime.netcraft.com/up/graph?site=StartCom.com

http://uptime.netcraft.com/up/graph?site=GlobalSign.com

http://uptime.netcraft.com/up/graph?site=Comodo.com

http://uptime.netcraft.com/up/graph?site=DigiCert.com

Now, why's that? I thought Linux was secure, hearing it for years here on slashdot??

Wait, there are CAs that don't use Linux?

Re:I thought Linux was so secure slashdotters

[MysteriousPreacher]

I wonder if there's something for Linux that's equivalent to Blizzard's Warcraft password inspector. He contacted me last week, asking to inspect my password to ensure that it's secure. It was kind of embarrassing that my account got hacked, and my credit card maxed out, shortly after I'd sent him my password. Fortunately though I was able to regain access and change my password. I forwarded the new password to the inspector and apologized if he had trouble trying to use the old one. Email the Blizzard guy to see if he knows the Linux password inspector. His address is paswordinspecter@blizzard-account-admin.shulinhost.cn

Eliminate Intermediate CA's, restrict root CA's.

[ad454]

The CA model is clearly broken, it is a chain that is too long with too many weak links. We have hundreds of root CA's, and combined with intermediate CA's, that number could be in the thousands. That is too many points of failure, which can bring down the entire system.

The following needs to be done immediately:

First: Eliminate Intermediate CA's:
If an entity does not qualify as a root CA, why should it be allowed to issue trusted certificates?

Second: Restrict Root CA'S by geography:
It is okay to trust the Chinese Post Office for *.cn, *.hk, etc. domains, why should we trust it for *.ca or *.com of Canadian companies? Why not restrict root CA's to geographic zones and also domain prefixes.

Three: Certificate Caching & Monitoring Should be built into browsers:
Certificate Patrol is an excellent addon that does this, why isn't it built into browsers? https://addons.mozilla.org/en-US/firefox/addon/certificate-patrol/

Re:Eliminate Intermediate CA's, restrict root CA's

The CA model was developed at a time when many end-user systems did not have persistent connections to the Internet. Not all systems today have such connections. So revocation lists, etc. and support of a "store and forward" model are necessary. Risk can be managed through proper application of a CA hierarchy.

Also, one thing that can be one with a hierarchy of CA's is to create levels of indirection or "top level intermediaries" that protect the root key. Your root CA should NOT be *anywhere near* your other top level intermediates. Ideally the root key wouldn't be network accessible at all.

Intermediate CA's are also useful to delegate subsets of authority without putting the entire CA's root key at risk.

Clearly DigiCert Sdn. Bhd has done it wrong. Agree with you totally on points 2 and 3.

Re:Eliminate Intermediate CA's, restrict root CA's

[starfishsystems]

Mod up. This is a nice synopsis.

the system is wrong

[Onymous+Coward]

The CA model is broken. Always has been. Your browser comes with several hundred baked-in CAs, each with complete authority over what your browser thinks is a trustable connection. It's like a RAID 0 array with 600 drives. Just asking for trouble, huh? And it's hard or even impossible to tell when one of those drives is reading or writing bad data. Like the truism about hard drives, "hard drives just fail (so get backups)", CAs fail. Evidently.

Being a CA is a "race-to-the-bottom" business where vendors compete on price. Anyone can be a CA (go right ahead — get OpenSSL and google how), but to compete you have to aim for cheap and cheaper; the landscape is littered with shoddy and dodgy businesses, let alone organizations (e.g., governments) with other interests specifically prioritized over your security. Even if CAs were almost always well-run, you'd still have some rotten ones sitting at the tail of the bell curve. And, again, those failures have complete power over your browser's security.

The model is inherently faulty.

Re:the system is wrong

Anyone can be a CA but only some are actually trusted. To get trusted, they have to (or are supposed to) comply with regulations set by the browsers. The system isn't broken, just needs to clean house and actually cross-check certs on a reputation basis. (Think mix of convergence and cert patrol on top of the CA architecture)

Re:the system is wrong

[Onymous+Coward]

Granted, the browser vendors set standards for accepting CAs. That's a barrier to keep out obviously bad CAs. But that's still just adding QA on hard drive production.

I still don't want to run a RAID 0 array with 600 hard drives, regardless of how high quality they are.

Re:the system is wrong

[fast+turtle]

The reason the CA system is broken is because we're not using the White List Model of "Trust No One". I've had to address this issue in Firefox by going through the entire list of certificates and marking everyone of them as untrusted and the funny thing is, I've only had to create a dozen exceptions to that model. These are websites that I depend such as my bank, merchants (Newegg), Google as I do use their https mode. Seriously, it did suprise me that I only needed 12 exceptions to the rule and each one is an individual exception.

Re:the system is wrong

[The+Mr.K]

The average user doesn't have the know-how to do that. Normal users freak out if they see that they have to accept a certificate - to them, it means their computer is about to burst into flames and hacker ninjas are going to come through the window and steal their credit cards. Also, there still isn't anything stopping one of the few CAs you created exceptions for from being tampered with.

Re:Eliminate Intermediate CA's, restrict root CA's

Definitely agree on 2nd & 3rd points. The first is in the right direction, but CA's need intermediates to protect the root certificates. Maybe it makes sense to hold the root CA responsible for anything that happens via their intermediates. This way, CA's will be more judicious about who they share their trust with (and actually audit intermediate-issued certs in a meaningful fashion).

It's too drastic to say the model is broken. If anything, this incident proves the CA system works - the bad actor had their trust revoked. Just needs to be a tightening of the ship.

Linux has 3 unpatched vulnerabilities

That are remotely exploitable in the current latest Linux kernel, but they are in multiple parts (so there's more like 20 of them)):

http://secunia.com/advisories/44754/

http://secunia.com/advisories/19402/

http://secunia.com/advisories/14295/

So once more: How come I keep hearing that Linux is "so secure" here all the time over the years now?

Re:Now do the same for China

No, his point was "now that we've done Y, let's do X" meaning he agrees with both Y and X.

Linux = "doing it wrong"

Linux not only has 3 remotely unpatched security vulnerabilities and ones that the end user has no workarounds for apparently, but, also one for more than 6 yrs. now no less http://secunia.com/advisories/14295/ , but these recent security breaches don't help either:

---

KERNEL.ORG COMPROMISED:

http://linux.slashdot.org/story/11/08/31/2321232/Kernelorg-Compromised

---

Linux.com pwned in fresh round of cyber break-ins:

http://www.theregister.co.uk/2011/09/12/more_linux_sites_down/

---

Mysql.com (runs Linux) Hacked, Made To Serve Malware:

http://it.slashdot.org/story/11/09/26/2218238/mysqlcom-hacked-made-to-serve-malware

---

Then, there's ANDROID, and it's showing us all that all the FUD on /. for years now that Linux is secure is just that, fud. It's being torn up in the hundreds with exploits and yes, ANDROID uses Linux kernel.

Now, you said this:

Your OS can't help you if you do everything wrong anyway by X0563511 (793323) on Friday November 04, @01:26PM (#37949678) Homepage Journal

So much for that in light of the above facts. See my subject-line.

Re:Linux = "doing it wrong"

Alexander Peter Kowalski is a fag.

hand-edited CA list

[Onymous+Coward]

by going through the entire list of certificates and marking everyone of them as untrusted

That's fantastic. I never would have expected someone to try this.

the funny thing is, I've only had to create a dozen exceptions to that model

Oh, very interesting. Of course this technique wouldn't work for the average user, but it gives us some insight into possibilities.

Seems you've virtually rejected the CA model and instituted your own. Actually, you're probably now closer to a "decide for yourself whom to trust" model than the CA model. I wonder what kind of facilities/tools would make your endeavor easier. I'm thinking you're not very far from just popping over to a certificates-oriented model like the notary models of Perspectives and Convergence.

Re:hand-edited CA list

It's basically identical to the NoScript approach.

CA's breached recently (that use LINUX)

4 WERE BREACHED RECENTLY & THEY RUN LINUX:

http://uptime.netcraft.com/up/graph?site=StartCom.com

http://uptime.netcraft.com/up/graph?site=GlobalSign.com

http://uptime.netcraft.com/up/graph?site=Comodo.com

http://uptime.netcraft.com/up/graph?site=DigiCert.com

APK

Off topic illogical adhominem attacks

Are non-sequitur troll, and need not apply (like you). Go back to your hole.

Re:Off topic illogical adhominem attacks

You are APK.

Re:Off topic illogical adhominem attacks

Not apk but I posted here. You are a troll though. No doubt about that.

Re:Off topic illogical adhominem attacks

Not apk

Yes you are. We all know it.

Re:Off topic illogical adhominem attacks

u mean we all know ur mental.

Re:Off topic illogical adhominem attacks

Shut up, APK.

Re:Off topic illogical adhominem attacks

No. We don't take your orders. You can't make truth here go away http://tech.slashdot.org/comments.pl?sid=2509790&cid=37952654 Facts are facts, and Linux is getting breached left and right lately.

Re:Off topic illogical adhominem attacks

"We"? Do you have a mouse in your pocket, or are you just happy to see me?

Re:Off topic illogical adhominem attacks

Speak for yourself about using "we" here http://tech.slashdot.org/comments.pl?sid=2509790&cid=37975942