Microsoft, Mozilla and Google Ban Malaysian Intermediate CA
Orome1 writes "Microsoft, Mozilla and Google have announced that they are revoking trust in Malaysia-based DigiCert, an intermediate certificate authority authorized by well-known CA Entrust, following the issuing of 22 certificates with weak keys, lacking in usage extensions and revocation information. 'There is no indication that any certificates were issued fraudulently, however, these weak keys have allowed some of the certificates to be compromised,' wrote Jerry Bryant of Microsoft's Trustworthy Computing."
Every article demands a picture, right.
It might have been nice to mention that in the article summary.
Given their ways of being against their own citizens, as well as actively hacking those in the developed world, blacklist them as well.
That's the truth, despite what modbombing you might try.
Twitter supports and protects racists - by smearing their critics with the "Hate Speech" label.
RSA-512 has been known to be weak for a long time.
Who in their right mind would generate such a certificate for (presumably) a production system?
Why didn't the CA have some sort of system to detect such short keys?
The CA I use doesn't allow anything less than 2048-bits to be signed. While the policy may be a bit strict, as 1024-bit keys still have their uses (there's a lot of hardware that only deals with 1024-bit keys), at least they're erring on the side of caution. I'm sure they're not the only one with such a policy.
This is more proof that Malaysia is not a real place. I mean look up some pictures of their subway or their big skyscrapers. Fake photoshopped renderings. Now think about where it is on a map. You can't. Because it isn't.
"DIGICERT is in the center of an effective trust model that the government is creating to address the issue of information security and the negative perception that has been painted in association with online transactions." *BREATH*
"Customers won't transact business at your website unless they are certain it's secure."
"The username and static password scheme has been widely used for verification online. Nevertheless, many have recognize this scheme as being obsolete as it can no longer be trusted to provide proper authentication online. There are countless of software distributed freely across the Internet that enables the cracking of passwords. There are also hundreds of web sites that displays 'Most Recently Hacked' passwords."
You can't really call it proper Engrish, but it's just a little off too.
4/5 of the CA's recently breached run Linux:
http://uptime.netcraft.com/up/graph?site=StartCom.com
http://uptime.netcraft.com/up/graph?site=GlobalSign.com
http://uptime.netcraft.com/up/graph?site=Comodo.com
http://uptime.netcraft.com/up/graph?site=DigiCert.com
Now, why's that? I thought Linux was secure, hearing it for years here on slashdot??
Slashdot editors... please change the name of the company in the summary to "DigiCert Sdn. Bhd." which does identity card business, to avoid confusion with US based "DigiCert Inc".
DigiCert Inc is a major SSL CA used by Yahoo, Facebook and others.
So... once again, Mozilla, MS and Google have dropped a certifier known to be signing weak certs to questionable customers, protecting everyone on the web except those who use Apple iOS devices, WebKit-backed Apple apps, and the Safari web browser.
I guess we can expect an update next month. This means a 1-month window of bank phishing campaigns actively targeting iOS (and likely Android) and Apple users.
I hate to piss on your trolling but this CA is not a trusted authority in iOS.
Will someone please explain if this effectively blocks ( censors ) certain sites on a defacto basis?
The CA model is clearly broken, it is a chain that is too long with too many weak links. We have hundreds of root CA's, and combined with intermediate CA's, that number could be in the thousands. That is too many points of failure, which can bring down the entire system.
The following needs to be done immediately:
First: Eliminate Intermediate CA's:
If an entity does not qualify as a root CA, why should it be allowed to issue trusted certificates?
Second: Restrict Root CA'S by geography:
It is okay to trust the Chinese Post Office for *.cn, *.hk, etc. domains, why should we trust it for *.ca or *.com of Canadian companies? Why not restrict root CA's to geographic zones and also domain prefixes.
Three: Certificate Caching & Monitoring Should be built into browsers:
Certificate Patrol is an excellent addon that does this, why isn't it built into browsers? https://addons.mozilla.org/en-US/firefox/addon/certificate-patrol/
The CA model was developed at a time when many end-user systems did not have persistent connections to the Internet. Not all systems today have such connections. So revocation lists, etc. and support of a "store and forward" model are necessary. Risk can be managed through proper application of a CA hierarchy.
Also, one thing that can be one with a hierarchy of CA's is to create levels of indirection or "top level intermediaries" that protect the root key. Your root CA should NOT be *anywhere near* your other top level intermediates. Ideally the root key wouldn't be network accessible at all.
Intermediate CA's are also useful to delegate subsets of authority without putting the entire CA's root key at risk.
Clearly DigiCert Sdn. Bhd has done it wrong. Agree with you totally on points 2 and 3.
Mod up. This is a nice synopsis.
Parity: What to do when the weekend comes.
The CA model is broken. Always has been. Your browser comes with several hundred baked-in CAs, each with complete authority over what your browser thinks is a trustable connection. It's like a RAID 0 array with 600 drives. Just asking for trouble, huh? And it's hard or even impossible to tell when one of those drives is reading or writing bad data. Like the truism about hard drives, "hard drives just fail (so get backups)", CAs fail. Evidently.
Being a CA is a "race-to-the-bottom" business where vendors compete on price. Anyone can be a CA (go right ahead — get OpenSSL and google how), but to compete you have to aim for cheap and cheaper; the landscape is littered with shoddy and dodgy businesses, let alone organizations (e.g., governments) with other interests specifically prioritized over your security. Even if CAs were almost always well-run, you'd still have some rotten ones sitting at the tail of the bell curve. And, again, those failures have complete power over your browser's security.
The model is inherently faulty.
Definitely agree on 2nd & 3rd points. The first is in the right direction, but CA's need intermediates to protect the root certificates. Maybe it makes sense to hold the root CA responsible for anything that happens via their intermediates. This way, CA's will be more judicious about who they share their trust with (and actually audit intermediate-issued certs in a meaningful fashion).
It's too drastic to say the model is broken. If anything, this incident proves the CA system works - the bad actor had their trust revoked. Just needs to be a tightening of the ship.
That are remotely exploitable in the current latest Linux kernel, but they are in multiple parts (so there's more like 20 of them)):
http://secunia.com/advisories/44754/
http://secunia.com/advisories/19402/
http://secunia.com/advisories/14295/
So once more: How come I keep hearing that Linux is "so secure" here all the time over the years now?
Linux not only has 3 remotely unpatched security vulnerabilities and ones that the end user has no workarounds for apparently, but, also one for more than 6 yrs. now no less http://secunia.com/advisories/14295/ , but these recent security breaches don't help either:
---
KERNEL.ORG COMPROMISED:
http://linux.slashdot.org/story/11/08/31/2321232/Kernelorg-Compromised
---
Linux.com pwned in fresh round of cyber break-ins:
http://www.theregister.co.uk/2011/09/12/more_linux_sites_down/
---
Mysql.com (runs Linux) Hacked, Made To Serve Malware:
http://it.slashdot.org/story/11/09/26/2218238/mysqlcom-hacked-made-to-serve-malware
---
Then, there's ANDROID, and it's showing us all that all the FUD on /. for years now that Linux is secure is just that, fud. It's being torn up in the hundreds with exploits and yes, ANDROID uses Linux kernel.
Now, you said this:
Your OS can't help you if you do everything wrong anyway by X0563511 (793323) on Friday November 04, @01:26PM (#37949678) Homepage Journal
So much for that in light of the above facts. See my subject-line.
That's fantastic. I never would have expected someone to try this.
Oh, very interesting. Of course this technique wouldn't work for the average user, but it gives us some insight into possibilities.
Seems you've virtually rejected the CA model and instituted your own. Actually, you're probably now closer to a "decide for yourself whom to trust" model than the CA model. I wonder what kind of facilities/tools would make your endeavor easier. I'm thinking you're not very far from just popping over to a certificates-oriented model like the notary models of Perspectives and Convergence.
4 WERE BREACHED RECENTLY & THEY RUN LINUX:
http://uptime.netcraft.com/up/graph?site=StartCom.com
http://uptime.netcraft.com/up/graph?site=GlobalSign.com
http://uptime.netcraft.com/up/graph?site=Comodo.com
http://uptime.netcraft.com/up/graph?site=DigiCert.com
APK
Are non-sequitur troll, and need not apply (like you). Go back to your hole.