Firefox Blocking Fraudulent Certificates

Johnathan Nightingale

27

Issue

Mozilla has been informed about the issuance of several fraudulent SSL certificates for public websites. The certificates have been revoked by their issuer which should protect most users. This is not a Firefox-specific issue. As part of our ongoing commitment to providing a secure Web experience for users, we have updated Firefox 4.0, 3.6, and 3.5 to recognize these certificates and block them automatically.

Impact to users

Users on a compromised network could be directed to sites using the fraudulent certificates and mistake them for the legitimate sites. This could deceive them into revealing personal information such as usernames and passwords. It may also deceive users into downloading malware if they believe it’s coming from a trusted site.

Status

Current versions of Firefox are protected from this attack. We are still evaluating the possibility of further response to this issue. We encourage all users to keep their software up to date by regularly applying security updates.

Credit

This issue was reported to us by the Comodo Group, Inc., the certificate authority responsible for issuing the fraudulent certificates.

27 responses

  1. Gordon Burditt wrote on :

    Is there a way for users to help themselves here (if they care to)? My first reaction on hearing that X issued bogus certificates is to turn off all the preloaded certificates for X immediately. (Ok, I’ll admit this can cause some problems, depending on who certifies the certificates of sites I use regularly). In firefox (3.6.15) I see I can edit “this certificate can identify web sites”, “this certificate can identify mail users”, and “this certificate can identify software makers”, but does turning these off prevent the browser from “this certificate can identify a subordinate CA”? If not, why not?

    I don’t think this kind of problem calls for a delay in dealing with it. With fake certs, you don’t have to worry about going public causing more bad guys to take advantage of the hole (unlike, say, buffer overflow attacks), unless you believe that someone actually generated a fake CA cert and POSTED it, complete with private key.

  2. Juha wrote on :

    Why the CRL checking for all certificates that have pointer to certificate revocation list is not supported and enabled by default in Firefox? If that were the case, no need to distribute certificate blacklists via software updates. Revocation checking is essential part in correct certificate chain validation, it can not be skipped!

  3. none wrote on :

    Is it because the HTML 5 or it is just my thought?

  4. ThomasB wrote on :

    Strangely it took longer for firefox developers to fix this bug than for chrome creators. Nevertheless i still prefer mozilla, but i totally agree that this bug shouldn’t be kept a secret until the patches were released.

  5. Pixelflo wrote on :

    One of my friend got scammed using an older version of firefox – can’t remember which version though.

    He though it was secure and trustworthy site as is had a SSL certificate.

    These security updates are a great news. Any Security enhancements are always welcome.

More comments: 1 2