My OperaBlacklisting 22 certificates with 512-bit RSA keys
By Yngve Nysæter Pettersenyngve. Friday, November 4, 2011 4:17:38 PM
Earlier this week news reached us that a small subordinate CA in Malaysia, Digicert Sdn. Bhd. (which we hasten to add, has no association with, and must not be confused with, the US-based Root CA Digicert, Inc., which is a member of Opera's Rootstore), had been discovered to have issued certificates that did not meet several technical and contractual requirements it was supposed to follow. We have therefore blacklisted several of their certificates.
The problems were:
Digicert Sdn. Bhd. is not a Root CA, but is a subordinate CA that operates using an Intermediate CA certificate issued by another CA, in this case they have certificates for their key issued by Cybertrust/Verizon and Entrust, both of which are members of Opera's Rootstore.
There are no indications that any certificates have been issued fraudulently, but the above points break not just the CA's own rules, they break the contracts that they signed with the two Root CAs that issued the intermediate CA certificates they have been using. For this reason Cybertrust have already revoked the certificate they issued to Digicert Sdn. Bhd., and Entrust will revoke theirs in a few days. Entrust is delaying the revocation a few days so that the affected web sites can have a few days grace time to obtain new certificates from a different issuer.
Since such certificates do not display as secure in Opera anyhow (see below), we have decided to allow this grace period. Should there be any signs of problems in the meanwhile, we can and will revoke the intermediate certificate ourselves.
In the meantime we have been provided a list of the 22 certificates that had weak keys, and due to the missing revocation information and signs of abuse we have decided to blacklist these particular certificates in today's update of the Rootstore.
For Opera users there are a few things to note:
Given that the CA certificate will be revoked shortly, and that there is no indication of additional significant threats, this blacklisting is only a temporary measure, and we plan to remove these certificates from the list within a few weeks, once the revocation information has been distributed.
Related to this, we have also learned that a few other CAs have also issued about 25 certificates with 512-bit keys. At present we do not have details about these certificates, but we have been informed that the certificates should be revoked within a week.
We stress that such certificates could not have been used to signal any secure connections in Opera, and that Opera users who pay attention to the security badge have nothing to worry about.
We have contacted other browsers suggesting ways to address various issues around weak certificates and certificates that are not issued according to the recognized best practices, and we are also working with CAs to improve procedures and security in general.
In order to stay safe online we encourage users to configure their web browser to ensure that it does not allow weak security, if it does not already do so by default, such as Opera. Users also need to pay attention to the security indications.
The problems were:
- Their certificates do not contain a field called "Extended Key Usage", which is used to limit what a certificate can be used for. Without this field the certificate can be used as more than a SSL/TLS server certificate, e.g. to sign executables (Object signing).
- Their certificates did not contain any pointers to revocation information, that is, there were no OCSP URL in their certificate, and neither was there a URL to a CRL, meaning that the validity of the certificates could not be checked.
- They had issued several certificates for RSA keys that were only 512-bits long. If you have been following our security related articles, you probably have a good idea of what we here at Opera think about such keys. Summary: Don't even think of using them. These keys can be broken in days(!), and there are clear indications that at least some of these specific weak keys have been compromised!
- At least one of these weak certificates is actively being exploited in a phishing attack. Presumably it has been possible to crack the certificate due to the weak security.
Digicert Sdn. Bhd. is not a Root CA, but is a subordinate CA that operates using an Intermediate CA certificate issued by another CA, in this case they have certificates for their key issued by Cybertrust/Verizon and Entrust, both of which are members of Opera's Rootstore.
There are no indications that any certificates have been issued fraudulently, but the above points break not just the CA's own rules, they break the contracts that they signed with the two Root CAs that issued the intermediate CA certificates they have been using. For this reason Cybertrust have already revoked the certificate they issued to Digicert Sdn. Bhd., and Entrust will revoke theirs in a few days. Entrust is delaying the revocation a few days so that the affected web sites can have a few days grace time to obtain new certificates from a different issuer.
Since such certificates do not display as secure in Opera anyhow (see below), we have decided to allow this grace period. Should there be any signs of problems in the meanwhile, we can and will revoke the intermediate certificate ourselves.
In the meantime we have been provided a list of the 22 certificates that had weak keys, and due to the missing revocation information and signs of abuse we have decided to blacklist these particular certificates in today's update of the Rootstore.
For Opera users there are a few things to note:
- Digitally signed Java applets will not be affected by this update, as the Java plug-in handles all verification itself. Until Java's certificate store has been updated, or Entrust has revoked the intermediate CA, it suffices to not trust any Java popups.
- The missing CRL caused Opera to remove the "Secure" indication for all web sites using certificates issued by Digicert Sdn. Bhd. The reason for this is that there was information about the CRL in their intermediate CA certificate, and that causes Opera to require revocation information in all certificates in the chain, or the security level is lowered.
- The web sites using the certificates with 512-bits keys would also trigger a certificate warning dialog about the weak key, as Opera is currently warning about any RSA key shorter than 900 bits long.
- The update will be automatically downloaded and installed within the next week in supported versions, no user action is needed. However, if you would like to get the update immediately, you may do so using the menu option Help > Check for Updates, which will trigger the update.
Given that the CA certificate will be revoked shortly, and that there is no indication of additional significant threats, this blacklisting is only a temporary measure, and we plan to remove these certificates from the list within a few weeks, once the revocation information has been distributed.
Related to this, we have also learned that a few other CAs have also issued about 25 certificates with 512-bit keys. At present we do not have details about these certificates, but we have been informed that the certificates should be revoked within a week.
We stress that such certificates could not have been used to signal any secure connections in Opera, and that Opera users who pay attention to the security badge have nothing to worry about.
We have contacted other browsers suggesting ways to address various issues around weak certificates and certificates that are not issued according to the recognized best practices, and we are also working with CAs to improve procedures and security in general.
In order to stay safe online we encourage users to configure their web browser to ensure that it does not allow weak security, if it does not already do so by default, such as Opera. Users also need to pay attention to the security indications.
Charles SchlossChas4 # Friday, November 4, 2011 4:58:42 PM
I disable SSL 2 for other people when I help them out w/ computers
Cutting Spoonhellspork # Saturday, November 12, 2011 4:53:51 AM