[OWASP-Malaysia] Weak 512-bit RSA Keys issued by Malaysian CA

12 views
Skip to first unread message

jep

unread,
Nov 4, 2011, 3:03:28 AM11/4/11
to owasp-m...@lists.owasp.org
Dear list

Digicert Malaysia has been licensed by Entrust for distribution SSL and S/MIME certificates.

It has been discovered that Digicert Malaysia has issued certificates with weak 512-bit RSA keys and missing certificate extensions. Their certificate issuing practices violated their agreement, their CPS, and accepted CA standards.

Anyone interest to discuss/comment ?

source : http://www.entrust.net/advisories/malaysia.htm

Hasanuddin Abu Bakar

unread,
Nov 4, 2011, 5:05:45 AM11/4/11
to Open Web Application Security Project (OWASP) Malaysia Local Chapter
Yeah, lack of adequate security policy. Lack of "pengamalan cekap".


Hasanuddin Abu Bakar
GSEC, LPIC-1, Novell CLA
IT Security Engineer
+6017 913 1983

Sigma Rectrix Systems (M) Sdn Bhd
No.15 & 15-1, Jalan Equine 9A,
Equine Park, Bandar Putra Permai
43300 Seri Kembangan Selangor
URL             : www.sigmarectrix.com

Phone        : 03-89486696
Fax              : 03-89487796
Helpdesk  : 03-89486596

> _______________________________________________
> OWASP-Malaysia mailing list
> OWASP-M...@lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-malaysia
>
> OWASP Malaysia Wiki
> http://www.owasp.my
>
> OWASP Malaysia Facebook
> http://www.facebook.com/OWASP.Malaysia
>
> OWASP Malaysia Twitter #owaspmy
> http://www.twitter.com/owaspmy
>
_______________________________________________
OWASP-Malaysia mailing list
OWASP-M...@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-malaysia

OWASP Malaysia Wiki
http://www.owasp.my

OWASP Malaysia Facebook
http://www.facebook.com/OWASP.Malaysia

OWASP Malaysia Twitter #owaspmy
http://www.twitter.com/owaspmy

Yusof Khalid - FreeBSD / OpenBSD

unread,
Nov 4, 2011, 6:30:33 AM11/4/11
to Open Web Application Security Project (OWASP) Malaysia Local Chapter

Shame on digicert

Ang Chin Han

unread,
Nov 4, 2011, 6:33:28 AM11/4/11
to Open Web Application Security Project (OWASP) Malaysia Local Chapter
It has deeper implications than that:


Adli Abdul Wahid

unread,
Nov 4, 2011, 8:00:18 AM11/4/11
to Open Web Application Security Project (OWASP) Malaysia Local Chapter
And until now, there's no official response from them.

- adli

> _______________________________________________
> OWASP-Malaysia mailing list
> OWASP-M...@lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-malaysia
>
> OWASP Malaysia Wiki
> http://www.owasp.my
>
> OWASP Malaysia Facebook
> http://www.facebook.com/OWASP.Malaysia
>
> OWASP Malaysia Twitter #owaspmy
> http://www.twitter.com/owaspmy
>

--
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x80AE6AD787A26066

Hazrul Hamzah

unread,
Nov 4, 2011, 8:25:42 AM11/4/11
to owasp-m...@lists.owasp.org
Somehow I do think that responding to incident is not our forte.. Sad
though ;)

jep

unread,
Nov 4, 2011, 1:24:52 PM11/4/11
to Open Web Application Security Project (OWASP) Malaysia Local Chapter
sad but true :(~

i bet u all can imagine the impact if "sakai²" I.T (not skiddies or lame
defacer) know how to take the opportunities from this event/news

hint: bigger picture is big, the box is small

Harisfazillah Jamel

unread,
Nov 4, 2011, 9:27:55 PM11/4/11
to Open Web Application Security Project (OWASP) Malaysia Local Chapter
Should gov.my take control their own SSL/TLS Cert?
The danger of man of middle attack by using false certs.
http://tech.slashdot.org/story/11/08/30/0253254/another-ca-issues-false-certificates-to-iran

On Sat, Nov 5, 2011 at 1:24 AM, jep <watt...@gmail.com> wrote:
> sad but true :(~
>
> i bet u all can imagine the impact if "sakai²" I.T (not skiddies or lame
> defacer) know how to take the opportunities from this event/news
>
> hint: bigger picture is big, the box is small
>
> On 11/4/2011 8:25 PM, Hazrul Hamzah wrote:
>> Somehow I do think that responding to incident is not our forte.. Sad
>> though ;)
>>
>> On 04/11/2011 20:00, Adli Abdul Wahid wrote:
>>> And until now, there's no official response from them.
>>>
>>> - adli
>>>
>>>
>>> On Fri, Nov 4, 2011 at 6:33 PM, Ang Chin Han<ang.ch...@gmail.com>  wrote:
>>>> It has deeper implications than that:
>>>> http://blog.mozilla.com/security/2011/11/03/revoking-trust-in-digicert-sdn-bhd-intermediate-certificate-authority/
>>>> http://blogs.technet.com/b/msrc/archive/2011/11/03/untrusted-certificate-store-to-be-updated.aspx
>>>> http://code.google.com/p/chromium/issues/detail?id=102530
>>>>
>>>> _______________________

--
Malaysia Open Source Software Conference 2011
MOSC2011 http://www.mosc.my/

Malaysia Open Source Conference 2012 (MOSC2012)
http://portal.mosc.my/

LinuxMalaysia Network
http://www.facebook.com/Bukan.Sekadar.Internet.Sahaja

Harisfazillah Jamel

jep

unread,
Nov 6, 2011, 12:38:21 PM11/6/11
to owasp-m...@lists.owasp.org
Digicert GLC kan ?
maybe their roles now same as grca
grca is a good idea, but my concern is the capability of peoples/person/experts for handling such a very critical agency/entity (who/how/why)

yes u can do mitm attack (fake site that look like real), malware/virus with signed driver and many more varieties type of attack

there are more concerning impact from this event, "CA issued 512-bit RSA key!!!" ... it sound (sorry to say) dump/stupid/silly ... 512-bit RSA are factored long time ago ... 22 August 1999 to be precised (refer : http://www.rsa.com/rsalabs/node.asp?id=2098)

remember this "in security; once silly mistake has been made, there will be others coming ... if not today, there will be tomorrow" - jep

site:digicert.com.my intitle:"Index of /"
Reply all
Reply to author
Forward
0 new messages