Mozilla recently revoked one of the top certificate authority (CA) company that is based in Malaysia. Given the concerns on weak key in the certificates issued by the companies, Mozilla revoke the trust in DigiCert Sdn. Bhd. certificates.
Entrust, Inc., a certificate authority in Mozilla’s root program, has informed us that one of their subordinate CAs, the Malaysian company DigiCert Sdn. Bhd, has issued 22 certificates with weak keys. While there is no indication they were issued fraudulently, the weak keys have allowed the certificates to be compromised. Furthermore, certificates from this CA contain several technical issues. They lack an EKU extension specifying their intended usage and they have been issued without revocation information. – Mozila Security Blog
DigiCert Sdn. Bhd is a Malaysian subordinate CA under Entrust and Verizon. It bears no affiliation whatsoever with the US-based corporation DigiCert, Inc., which is a member of Mozilla’s root program. We came to know that, DigiCert Sdn. Bhd. is a joint-venture partnership between POS Malaysia Berhad and MIMOS Berhad.
The outcomes that may be involved in this issue is that, DigiCert Sdn. Bhd. is the company that is responsible for issuing certificate to Bank Negara web applications, online banking CIMB Clicks, and even providing their certificates issued to MyKad-related systems. Sounds serious?
It may not be that serious, we checked on CIMB Clicks and they already using new certificate issued by MSC Trustgate, which should not have issues like this.
The issues that has been brought up by Mozilla is that the security is weak plus several technical issues. Notice that the
https:// sign when you entered an official online banking site? Well, after the next Firefox update, users may be prompted by a warning sign saying prompting of invalid security certificate. This may not happen if you using other browsers such as IE, or Chrome.
Considering that cyber crime in Malaysia is among the top in Asia Pacific Region, this matter suppose to be taken seriously by consumers. Everyday online banking now is not going to be safe, as safe as before when the time even with a very good security, banking sites often times being targeted by hackers and phishing attacks. What this will affect us??