Alert

Fraudulent Digital Certificates Could Allow Spoofing

Last Revised

US-CERT is aware of public reports that DigiCert Sdn. Bhd* has issued 22 certificates with weak encryption keys. This could allow an attacker to use these certificates to impersonate legitimate site owners. DigiCert Sdn. Bhd has revoked all the weak certificates that they issued. Entrust, the parent Certificate Authority to DigiCert Sdn. Bhd, has released a statement containing more information.

Mozilla has released Firefox 8 and Firefox 3.6.24 to address this issue. Additional information can be found in the Mozilla Security Blog.

Microsoft has provided an update for all supported versions of Microsoft Windows to address this issue. Additional information can be found in Microsoft Security Advisory 2641690.

US-CERT encourages users and administrators to apply any necessary updates to help mitigate the risks. US-CERT will provide additional information as it becomes available.

*DigiCert Sdn. Bhd is not affiliated in any way with the US-based corporation DigiCert, Inc.

This product is provided subject to this Notification and this Privacy & Use policy.