Categories: CA Program Firefox Security

Firefox Blocking Fraudulent Certificates

Johnathan Nightingale

March 22, 2011

Issue

Mozilla has been informed about the issuance of several fraudulent SSL certificates for public websites. The certificates have been revoked by their issuer which should protect most users. This is not a Firefox-specific issue. As part of our ongoing commitment to providing a secure Web experience for users, we have updated Firefox 4.0, 3.6, and 3.5 to recognize these certificates and block them automatically.

Impact to users

Users on a compromised network could be directed to sites using the fraudulent certificates and mistake them for the legitimate sites. This could deceive them into revealing personal information such as usernames and passwords. It may also deceive users into downloading malware if they believe it’s coming from a trusted site.

Status

Current versions of Firefox are protected from this attack. We are still evaluating the possibility of further response to this issue. We encourage all users to keep their software up to date by regularly applying security updates.

Credit

This issue was reported to us by the Comodo Group, Inc., the certificate authority responsible for issuing the fraudulent certificates.

Keep up with
all things Firefox.

Your e-mail address

Country

Language

HTML Text

I’m okay with Mozilla handling my info as explained in this Privacy Policy.

We will only send you Mozilla-related information.

Thanks!

If you haven’t previously confirmed a subscription to a Mozilla-related newsletter you may have to do so. Please check your inbox or your spam filter for an e-mail from us.

27 comments on “Firefox Blocking Fraudulent Certificates”

Gordon Burditt wrote on March 24, 2011 at 10:21 am:

Is there a way for users to help themselves here (if they care to)? My first reaction on hearing that X issued bogus certificates is to turn off all the preloaded certificates for X immediately. (Ok, I’ll admit this can cause some problems, depending on who certifies the certificates of sites I use regularly). In firefox (3.6.15) I see I can edit “this certificate can identify web sites”, “this certificate can identify mail users”, and “this certificate can identify software makers”, but does turning these off prevent the browser from “this certificate can identify a subordinate CA”? If not, why not?

I don’t think this kind of problem calls for a delay in dealing with it. With fake certs, you don’t have to worry about going public causing more bad guys to take advantage of the hole (unlike, say, buffer overflow attacks), unless you believe that someone actually generated a fake CA cert and POSTED it, complete with private key.
Juha wrote on March 25, 2011 at 11:46 am:

Why the CRL checking for all certificates that have pointer to certificate revocation list is not supported and enabled by default in Firefox? If that were the case, no need to distribute certificate blacklists via software updates. Revocation checking is essential part in correct certificate chain validation, it can not be skipped!
none wrote on March 28, 2011 at 3:47 pm:

Is it because the HTML 5 or it is just my thought?
ThomasB wrote on April 4, 2011 at 6:44 am:

Strangely it took longer for firefox developers to fix this bug than for chrome creators. Nevertheless i still prefer mozilla, but i totally agree that this bug shouldn’t be kept a secret until the patches were released.
Pixelflo wrote on April 9, 2011 at 7:57 am:

One of my friend got scammed using an older version of firefox – can’t remember which version though.

He though it was secure and trustworthy site as is had a SSL certificate.

These security updates are a great news. Any Security enhancements are always welcome.

More comments:« Previous 1 2

Gordon Burditt wrote on March 24, 2011 at 10:21 am:

Juha wrote on March 25, 2011 at 11:46 am:

none wrote on March 28, 2011 at 3:47 pm:

ThomasB wrote on April 4, 2011 at 6:44 am:

Pixelflo wrote on April 9, 2011 at 7:57 am: