U.S. Flag Official website of the Department of Homeland Security
TLP:WHITE

Fraudulent Digital Certificates Could Allow Spoofing

Original release date: November 10, 2011 | Last revised: October 23, 2012

US-CERT is aware of public reports that DigiCert Sdn. Bhd* has issued 22 certificates with weak encryption keys. This could allow an attacker to use these certificates to impersonate legitimate site owners. DigiCert Sdn. Bhd has revoked all the weak certificates that they issued. Entrust, the parent Certificate Authority to DigiCert Sdn. Bhd, has released a statement containing more information.

Mozilla has released Firefox 8 and Firefox 3.6.24 to address this issue. Additional information can be found in the Mozilla Security Blog.

Microsoft has provided an update for all supported versions of Microsoft Windows to address this issue. Additional information can be found in Microsoft Security Advisory 2641690.

US-CERT encourages users and administrators to apply any necessary updates to help mitigate the risks. US-CERT will provide additional information as it becomes available.

*DigiCert Sdn. Bhd is not affiliated in any way with the US-based corporation DigiCert, Inc.

This product is provided subject to this Notification and this Privacy & Use policy.

Was this document helpful?  Yes  |  Somewhat  |  No

Back to Top