EVER WATCHFUL: CyberSecurity Malaysia says policing the trustworthiness of security certificates must be proactive and continuous. - Reuters
The Star (14 Nov 2011)
KUALA LUMPUR: CyberSecurity Malaysia wants the Government to consider stronger audit policies for security certificates.
This comes in the wake of the revoking of trust by three major Internet browsers against local intermediate certificate authority (CA) DigiCert Sdn Bhd.
Google, Mozilla and Microsoft revoked trust in DigiCert following the issuance of 22 certificates with weak keys, lacking in usage extensions and revocation information.
Security certificates are used as a means of verifying the identity of a website that a user visits. On Nov 3, identity-based security software and services company Entrust, which counts DigiCert as one of its subordinate CAs, issued a statement on its website stating: "Their (DigiCert's) certificate issuing practices violated their agreement, their Certification Practice Statement, and accepted CA standards."
Entrust also globally revoked DigiCert's signing certificates on Nov 8, allowing time for their customers to acquire valid replacement certificates.
According to online reports, two of the weak certificates issued by DigiCert were allegedly used to disguise malware which was used in a targeted attack against another Asian certificate authority. The authority noticed the attack and raised the alarm.
In addition to only having 512-bit encryption, the DigiCert certificates did not contain Extended Key Usage (EKU) - used to tell browsers what type of rights a digital certificate should have and revocation information, which would have allowed for a certificate recall.
In a statement issued on its website, Mozilla expressed concern with the technical practices of DigiCert, which it said was the main reason behind its decision to revoke its trust.
An attacker could use one of these weak certificates to impersonate the legitimate owners. This could deceive users into trusting websites or verify software that appeared to originate from these owners but in actuality could contain malicious software, the company said.
The certificates in question were issued to a mix of Malaysian government websites and internal systems. Mozilla said it did not believe other sites were at risk.
Not the same
Lt Col (Ret) Prof Datuk Husin Jazri, CEO of CyberSecurity Malaysia, said: "From our understanding, the revocation of trust is due to not fully complying with the strict standards required in issuing SSL certificates.
"This is not something that the big browser players are willing to tolerate." An agency under the Ministry of Science, Technology and Innovation, CyberSecurity is also one of DigiCert's clients.
Husin said this incident is unlike the case of DigiNotar, a Dutch CA owned by VASCO Data Security International which experienced a security breach earlier this year, resulting in the fraudulent issuing of certificates, and was later declared bankrupt.
"However, big players like Mozilla, Microsoft and Google will not take chances no matter how small the issue is when it comes to trust or security issues because they are in an industry where trust is of utmost importance," he added.
DigiCert issued a statement on Nov 5 and denied any fraudulent activity on its part. "We view the allegations as very serious and we vehemently deny any fraudulent act on our part.
"Nevertheless, we are currently investigating what had prompted such allegations and we are treating this matter as our top priority," DigiCert CEO Mohd Rosdeen Hassan said in the statement.
In a follow-up statement, issued on Nov 7, the company acknowledged the issuance of the certificates with weak keys. In this, it stated: "The SSL 512-bit key certificates issued under Digisign Server ID have mismatched capabilities from the prescribed standards."
DigiCert has since revoked the 22 certificates and advised the Internet browser companies to blacklist the certificates in addition to sending out advisories to impacted customers to replace their current Secure Socket Layer (SSL) certificates.
Rosdeen said the process of re-issuing new 2,048-bit security certificates began on Nov 7, with a special task force and a dedicated callcentre set up to answer queries from its customers. "We are going above the minimum prescribed standard (1,024-bit encryption) because we believe this is in the best interest of our clients," he said.
When asked why such weak certificates were issued in the first place, Rosdeen said the reason for the issuance of the 512-bit key certificates was prompted by requests on their clients' part.
"Certain clients felt that 512-bit was enough for their sites, with stronger encryption potentially having a detrimental effect on the performance of their applications," he said. DigiCert said about 600 sites are impacted by this revocation and the process of changing the certificates would take days because the main hurdle is contacting all the affected parties and guiding them through the process.
Rosdeen said the company is revising its internal policy to incorporate stricter processes on issuance of certificates for all SSL customers and will undertake the employment of a Webtrust program so that in future it will not be dependant on foreign-root CAs.
CyberSecurity's Husin praised DigiCert for its quick action. "It is notable that DigiCert took immediate mitigation steps for all the affected sites," he said. "All of their customers are now signed directly with Entrust."
The DigiCert case comes at a time of heightened alerts surrounding CAs, with a growing list of companies that have had to admit they suffered serious attacks on their certificate infrastructure this year.
Husin reported that CyberSecurity is seeing increasing incidents where valid certificates are stolen from computers or servers that store them and are being used to sign malware.
"From these events we see the need for CAs to beef up security and this could be achieved by having proactive and continuous security practices," he said.
Husin said CAs need to be responsive to security incidents reported by security teams or researchers, and exercise the revocation policy more promptly once those incidents are detected.
"The Government could consider implementing stronger audit policies for security certificates, and appoint an agency to enforce them," he said.
Or, he said, CAs in Malaysia could be categorised as a Critical Sector under the Critical National Information Infrastructure (CNII), thus requiring these companies to comply with the more stringent CNII security standards.