In the wake of GlobalSign, Comodo, and DigiNotar attacks, Microsoft, Mozilla, and Opera revoke untrustworthy certs Microsoft has taken the unusually bold step of revoking the Windows Root Certificate Program’s trust in a specific certification authority (CA), and the same CA is being blacklisted by browser makers Mozilla and Opera. These moves are not a reactionary maneuver to a malicious compromise, as seen with GlobalSign, Comodo, and DigiNotar. Rather, they’re the result of the CA, Digicert Sdn Bhd (Digicert Malaysia), having violated several key best practices. The decisions of Microsoft, Mozilla, and Opera — with more vendors likely to follow — should send a clear warning that the industry is becoming less tolerant of shoddy digital-certificate security, particularly in light of recent hacks.In the case of Microsoft (my full-time employer), this means that Windows will no longer vouch for the CA as being trusted. Windows will not reflexively have the CA prepopulated or placed on demand in its Trusted Certificate Authorities container. If a user receives a digital certificate signed by Digicert, his or her application will probably display at least a digital certificate error and refuse to instantly accept it as trusted. Depending on the application, users may have the option to ignore the warning and proceed.[ Download Roger Grimes’s “Data Loss Prevention Deep Dive” PDF expert guide today! | Stay up to date on the latest security developments with InfoWorld’s Security Central newsletter. | Get a dose of daily computer security news by following Roger Grimes on Twitter. ]According to Jerry Bryant, group manager of Microsoft’s Trusthworthy Computing branch, Digicert Malaysia — subordinated under Entrust and Verizon (GTE CyberTrust) — was found to have violated several key digital certificate best practices. Among them, the CA issued certificates with weak 512-bit keys, without appropriate usage extensions, and without appropriate revocation information. In today’s world, 512-bit keys are considered extremely short and easily crackable. For public key cryptography keys, standard key sizes is 1,024 bits or bigger. Many companies, including Microsoft, now recommend 2,048-bit keys as the bare minimum. Smaller key sizes are acceptable and expected with certain digital certificate algorithms, such as Elliptical Curve Cryptography (ECC). The Digicert Sdn Bhd keys were probably RSA keys, which are traditionally used more often in public digital certificates.Usage extensions are part of the digital certificate X.509 PKI standard governing digital certificates, indicating uses for an issued digital certificate. For example, usage extensions might specify which DNS domains the certificate is valid for, whether or not it can be used to sign other CA digital certificates, and whether or not it can be used for encryption or code signing. Without designated extensions, a digital certificate might be used for unintended expanded purposes. Public CAs should always issue digital certificates with defined extensions. Lack of revocation information means that the issued digital certificates cannot be verified back to the issuing authority (and/or its parents) to check whether it is valid and has not been revoked. Revocation information, often a HTTP link, allows users and applications to verify whether a certificate is still considered valid. Whether a consumer checks the revocation information is often optional, but as the industry puts greater reliance on public PKI, revocation information is becoming a more important requirement.Microsoft’s removal of Digicert from its Root Certificate program marks a rare event, especially given that the CA was not maliciously compromised. All public CAs are expected to follow best practices — and usually do.Clearly, this is Microsoft’s warning to other CAs that poor certificate issuing practices will not be tolerated. There are many other CAs that do not include revocation information or don’t appropriately restrain their issued certificates using extensions. Just check the ones located in your certificate store database on your computer. It’s likely you’ll see a few missing the same items. You can bet those CAs are paying closer attention now.This story, “Sloppy certificate authorities put on notice,” was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes’s Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter. Related content analysis The 5 types of cyber attack you're most likely to face Don't be distracted by the exploit of the week. Invest your time and money defending against the threats you're apt to confront By Roger Grimes Aug 21, 2017 7 mins Phishing Malware Social Engineering analysis 'Jump boxes' and SAWs improve security, if you set them up right Organizations consistently and reliably using one or both of these approaches have far less risk than those that do not. By Roger Grimes Jul 26, 2017 13 mins Authentication Access Control Data and Information Security analysis Attention, 'red team' hackers: Stay on target You hire elite hackers to break your defenses and expose vulnerabilities -- not to be distracted by the pursuit of obscure flaws By Roger Grimes Dec 08, 2015 4 mins Hacking Data and Information Security Network Security analysis 4 do's and don'ts for safer holiday computing It's the season for scams, hacks, and malware attacks. But contrary to what you've heard, you can avoid being a victim pretty easily By Roger Grimes Dec 01, 2015 4 mins Phishing Malware Patch Management Software Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe