back to article Burned by DigiNotar, Mozilla tells cert cops to audit security

Mozilla has directed all web authentication authorities trusted by its software to conduct security audits to ensure they aren't being abused to issue counterfeit secure sockets layer certificates. Thursday's note from Kathleen Wilson, who oversees the certificate authorities included in the Firefox browser and Thunderbird …


This topic is closed for new posts.
  1. NoneSuch Silver badge


    Asking for responsible stewardship over a key economic power on the Internet... Should'nt that fall under the "Bleeding Obvious" category and why has this not been requested from day one?

    1. Raz


      Why are not the other browser makers doing the same?

      1. Lance 3

        1) Who says they haven't?

        2) Who says a self audit will actually produce anything?

        What would happen if all of them told Mozilla to bugger off? What would Mozilla do then, not trust ANY of them?

        1. Anonymous Coward
          Anonymous Coward


          1) the original article says that at least Google/Chrome has not, so yes, why haven't other browsers demanded audits?

  2. Oninoshiko

    I believe it was required from day one, they are just requiring it be re-audited.

    (which should be being done yearly anyway)

  3. bleh_meh
    Thumb Up

    Time will tell...

    If this actually gets followed through fully. I am happy that at least my preferred browser maker has made a statement of intent to follow up, but we might see one or two days before the deadline a reversal from Mozilla.

    I sincerely hope that doesn't happen though and we see a few more point upgrades to blacklist non-conforming CA's.

    1. Lance 3

      Having to do "upgrades" because of CA issues seems to be a poor practice to be using. Why not something MORE dynamic and instantaneous?

      1. Anonymous Coward
        Anonymous Coward

        Because it's very difficult, look up the problems with CRLs..

        1. Dan 55 Silver badge

          So we also have OCSP

          Which only verifies certificate serial numbers.


          SSL really is a house of cards, unfortunately. I think I was happier living in ignorance before I looked into how it works after the latest spate of attacks.

          1. Tomato42

            OCSP details

            OCSP *can* use certificate serial numbers, the request contains hash of common name and public key too. OCSP can be used both as a frontend to CRL and as a whitelist mechanism. Problem is that it's implementation specific.

            We need a whitelist mechanism for certificates. CAs publishing hash list of all signed certificates would be a good start (that needed to be cross-checked at least yearly with actual certificates by a third party).

  4. Anonymous Coward
    Anonymous Coward

    I'm confused.

    Wasn't the earlier mis-issuance of done by a Comodo reseller? That site's certificate was issued by Verisign on 13 July 2011.

  5. Anonymous Coward

    Hypocrite behavior IMO.

    A classic example of where the Internet can go wrong.. When I learned the technical aspects of certification (with many thanks to OpenSSL, its documentation and the many people who shared their experiences on the Net) it got me curious as to how the main browsers handled this. Better put: how would I get my own CA certificate listed ?

    Step one: bring money.

    Now, this doesn't fully apply when you apply to Mozilla directly, but what about parties who buy themselves into the market by getting their CA certificate accepted (signed) by another CA who is already listed in the major browsers ?

    So by getting "CA certified" through channels like Thawte, Verisign and others?

    Its a late for Mozilla to start showing some muscle here because the damage has already been done. I don't mean Diginotar; I'm referring to the scenario described above.

    And there is another issue to consider... If Microsoft includes a certificate in their OS, do you really think Mozilla can allow itself to simply ignore the whole thing and insist people contact them directly? When there's a browser war going on; where the "user experience" is what matters most?

    I don't think so! Theoretical scenario: "Man, FF is lame; I go to website X and I can't even access it without errors! Explorer has no issues, seems Chrome also works. Guess those are the better browsers then".

    Check for yourself:

    It appears as if Mozilla has /many/ more CA's listed in their browser than MS has. On my Win7 I have 28 trusted root certificates, where 2 have been added by me, vs. 49 within the Mozilla browsers (according to the list mentioned above).

    1. Ken Hagan Gold badge

      Re: Theoretical scenario

      "Man, FF is lame; I go to website X and I can't even access it without errors! Explorer has no issues, seems Chrome also works. Guess those are the better browsers then."

      Well, yeah, they are, *if* you don't mind your wallet being emptied by some porn baron in a foreign country. Judging from the huge market share maintained over many years by IE6, *most* people don't mind that and therefore IE6 *is* (for them) a better browser.

      Firefox's market is those who actually bother to read error messages and want to retain some control over their computer. That's a *niche* market. Oh sure, everyone *talks* about wanting to be safe on the internet, but almost nobody is actually willing to invest the time and energy required to do so. Objectively speaking, then, they actually *don't* care.

      I'm fine with that. It's a free country.

  6. Anonymous Coward
    Anonymous Coward

    How about...

    browsers stop f... distributing root CAs at all and let the USERS grab the certificates... I really really hate this whole lets bundle crap together.

    1. Ken Hagan Gold badge

      Re: How about

      Yeah, coz typical end-users are really going to spend time and energy discriminating between a root certificate from a reputable authority and one from (say) DigiNotar.

      The current practice of bundling is probably the only thing that stops Verisign having a total monopoly. (Since most of your customers will have heard of Verisign and won't have heard of anyone else, and those customers are the ones deciding whether your certificate is trustworthy, who are you going to get to issue your certificate?)

  7. Bronek Kozicki

    this is silly

    c'mon , developers dictating PKI CAs security policy? Admittedly, there seem to be nobody better placed since customers don't seem to care (as they should!) but it only serves to prove that PKI system have not worked as well as hoped for.

    Since PGP is not really viable alternative either (at least in SSL space) there seem to be some space for future invention left, which is what Mozzilla should focus on. They do come with nifty ideas from time to time, e.g. browser Id user authentication.

    1. Ru

      Er, what?

      Are you saying Mozilla should distribute all CA root certificates sent to it? Or that they should distribute none at all?

      Seems to me that Firefox is their product, and therefore they can feel free to restrict what gets shipped with it.

  8. Anonymous Coward
    Anonymous Coward

    CAs clearly don't work. Comodohacker and DigiNotar has clearly showed this. Revoking the root certs of one CA doesn't help the next time a CA gets hacked. CAs are a single point of failure, and single points of failure should be avoided. Clients such as web browsers should update their software and use DNSSEC instead to validate SSL certs (DANE). DNS is a native internet architecture, distributed, and with DNSSEC it's secured and cryptographically signed.

  9. Crazy Operations Guy

    A couple of ideas

    Create a database that maps Domain names to Certificate authorities. That way if a domain is listed twice, then it is something that requires some attention, it would certainly have prevented the DigiNotar attack from happening as long as it did.

    ICANN would be a good candidate to run this.

    DNSsec also needs to be rolled out completely, what the hell is taking it so long?

    While either or both of these will not be 100% secure, nothing ever will be. Everything can be broken, bypassed, spoofed, etc.

This topic is closed for new posts.

Other stories you might like