Earlier this week we revoked our trust in the DigiNotar certificate authority from all Mozilla software. This is not a temporary suspension, it is a complete removal from our trusted root program. Complete revocation of trust is a decision we treat with careful consideration, and employ as a last resort.
Three central issues informed our decision:
1) Failure to notify. DigiNotar detected and revoked some of the fraudulent certificates 6 weeks ago without notifying Mozilla. This is particularly troubling since some of the certificates were issued for our own addons.mozilla.org domain.
2) The scope of the breach remains unknown. While we were initially informed by Google that a fraudulent *.google.com certificate had been issued, DigiNotar eventually confirmed that more than 200 certificates had been issued against more than 20 different domains. We now know that the attackers also issued certificates from another of DigiNotar’s intermediate certificates without proper logging. It is therefore impossible for us to know how many fraudulent certificates exist, or which sites are targeted.
3) The attack is not theoretical. We have received multiple reports of these certificates being used in the wild.
Mozilla has a strong history of working with CAs to address shared technical challenges, as well as responding to and containing breaches when they do arise. In an incident earlier this year we worked with Comodo to block a set of mis-issued certificates that were detected, contained, and reported to us immediately. In DigiNotar’s case, by contrast, we have no confidence that the problem had been contained. Furthermore, their failure to notify leaves us deeply concerned about our ability to protect our users from future breaches.
Staat der Nederlanden Certificates
DigiNotar issues certificates as part of the Dutch government’s PKIoverheid (PKIgovernment) program. These certificates are issued from a different DigiNotar-controlled intermediate, and chain up to the Dutch government CA (Staat der Nederlanden). The Dutch government’s Computer Emergency Response Team (GovCERT) indicated that these certificates are issued independently of DigiNotar’s other processes and that, in their assessment, these had not been compromised. The Dutch government therefore requested that we exempt these certificates from the removal of trust, which we agreed to do in our initial security update early this week.
The Dutch government has since audited DigiNotar’s performance and rescinded this assessment. We are now removing the exemption for these certificates, meaning that all DigiNotar certificates will be untrusted by Mozilla products. We understand that other browser vendors are making similar changes. We’re also working with our Dutch localizers and the Bits of Freedom group in the Netherlands to contact individual site operators using affected certificates (based on the EFF’s SSL Observatory data).
The integrity of the SSL system cannot be maintained in secrecy. Incidents like this one demonstrate the need for active, immediate and comprehensive communication between CAs and software vendors to keep our collective users safe online.
Johnathan Nightingale
Director of Firefox Engineering
Michichael
wrote on
Ferdinand
wrote on
ocrete
wrote on
biscuit town
wrote on
d2
wrote on
Daniel Veditz
wrote on
ldpreload
wrote on
Gervase Markham
wrote on
Fredrick Rybarczyk
wrote on
Doublehypocrite
wrote on
Martin
wrote on
Ramón Antonio
wrote on
anonymous
wrote on
SteveL
wrote on
alex
wrote on
Ken Dawber
wrote on
Jasem
wrote on
jmdesp
wrote on
Blah
wrote on
muddybulldog
wrote on
Dave
wrote on
Thaddy
wrote on
Jeroen
wrote on
colfer
wrote on
Daniel Veditz
wrote on
Daniel Veditz
wrote on
piet
wrote on
Daniel Veditz
wrote on
Thaddy
wrote on
Name
wrote on
Bob Relyea
wrote on
Thaddy
wrote on
thaddy
wrote on
Boris
wrote on
Alex Bishop
wrote on
colfer
wrote on
Metasansana
wrote on
rbdg
wrote on
Hay
wrote on
Robert
wrote on
Dave
wrote on
David Bernier
wrote on
David Bernier
wrote on
Ingo Kresse
wrote on
Daniel Veditz
wrote on
Daniel Veditz
wrote on
jmdesp
wrote on
petr_p
wrote on
gebruiker
wrote on
Nima
wrote on
brian
wrote on
David W
wrote on
Mad Cow
wrote on
Everyone
wrote on
amib
wrote on
Yield
wrote on
ER
wrote on
shahin
wrote on
sherry
wrote on
Daniel Veditz
wrote on
Fred5
wrote on
Fred5
wrote on
smo
wrote on
Lars V
wrote on
Lars V
wrote on
Shahin
wrote on
Peter Besenbruch
wrote on
Daniel Veditz
wrote on
Daniel Veditz
wrote on
Mohamed
wrote on