Fraudulent *.google.com Certificate

Johnathan Nightingale

65

Update (Sept. 6, 2011 @10:37 a.m. PT):

New security updates for Firefox are now available.

Update (8.30.11 @ 11:25 p.m. PT)

Mozilla just released an update to Firefox for Desktop, Thunderbird and SeaMonkey. Updates are now available for:
•    Firefox for Windows, Mac and Linux (final release)
•    Firefox for Windows, Mac and Linux (3.6.21 final release)
•    Firefox Aurora for Windows, Mac and Linux
•    Firefox Nightly for Windows, Mac and Linux
•    SeaMonkey (2.3.2)
•    Thunderbird (6.0.1)

We strongly recommend that all users upgrade to these releases.

If you already have Firefox, you will receive an automated update notification within 24 to 48 hours. Users can also manually check for updates if they do not want to wait for the automatic update.

New versions of Firefox for Mobile (final release and Beta), Firefox Beta for Desktop and Thunderbird will be released shortly.

Issue

Mozilla was informed today about the issuance of at least one fraudulent SSL certificate for public websites belonging to Google, Inc. This is not a Firefox-specific issue, and the certificate has now been revoked by its issuer, DigiNotar. This should protect most users.

Impact to users

Users on a compromised network could be directed to sites using a fraudulent certificate and mistake them for the legitimate sites. This could deceive them into revealing personal information such as usernames and passwords. It may also deceive users into downloading malware if they believe it’s coming from a trusted site. We have received reports of these certificates being used in the wild.

Status

Because the extent of the mis-issuance is not clear, we are releasing new versions of Firefox for desktop (3.6.21, 6.0.1, 7, 8, and 9) and mobile (6.0.1, 7, 8, and 9), Thunderbird (3.1.13, and 6.0.1) and SeaMonkey (2.3.2) shortly that will revoke trust in the DigiNotar root and protect users from this attack. We encourage all users to keep their software up-to-date by regularly applying security updates. Users can also manually disable the DigiNotar root through the Firefox preferences.

Credit

This issue was reported to us by Google, Inc.

 

Johnathan Nightingale
Director of Firefox Development

 

65 responses

  1. Tom wrote on :

    to me, it looks like “mozilla” screwed up with FF build 3.6.22.. with FF build 3.6.22, it looks like there are “server exceptions” for FRAUDULENT “usertrust” certificates, where fraudulent “usertrust” certificates will be trusted, automatically, overriding any security-checks-because of the “server exceptions” which were added to FF build 3.6.22..

    i am referring to the “server exceptions” in “FF/tools/options/advanced/view certificates/servers”..

  2. Fred5 wrote on :

    @Tom

    I am using Firefox 6.0.2 and have “The USERTRUST Network” certificates listed under the “Others” tab om my MacBook Air and the same is listed under the “Servers” tab on my Mac Desktop.

    Diginotar and Diginotar B.V. are listed under the “Authorities” tab on both.

    Could Mozilla please clarify exactly what the updates were supposed to do and verify that this is indeed what is happening upon upgrade.

  3. dan wrote on :

    @Daniel Veditz:

    I’ve updated to the latest Firefox (6.02) a few days ago. I found I couldn’t distrust DigiNotar as reported by some of my caring forummers.

    Also, I tend to conclude that you (and Mozilla) is not trying to protect your users, rather, you’re trying to protect governments and politicians who seldom browse the internet anyway. Those politicians in turn will deplete your customer base, because either they’ll be jailing or torturing us (i.e. no internet access), or better still, we’ll be shot dead. (btw, i’m NOT an iranian, but understand how it feels like if I were put in the same situation)

    I repeat. I’ve updated to Firefox 6.02 a few days ago. But today, I’ve just downloaded Google Chrome. And it’s the first time ever I’ll be using Chrome. And I’ll probably be sticking with Chrome until they start making screwed up decisions as to support governments instead of its users (hopefully not!).

  4. i am real wrote on :

    @Daniel Veditz:

    I’ve updated to the latest Firefox (6.02) a few days ago. I found I couldn’t distrust DigiNotar as reported by some of my caring forummers.

    Also, I tend to conclude that you (and Mozilla) is not trying to protect your users, rather, you’re trying to protect governments and politicians who seldom browse the internet anyway. Those politicians in turn will deplete your customer base, because either they’ll be jailing or torturing us (i.e. no internet access), or better still, we’ll be shot dead. (btw, i’m NOT an iranian, but understand how it feels like if I were put in the same situation)

    I repeat. I’ve updated to Firefox 6.02 a few days ago. But today, I’ve just downloaded Google Chrome. And it’s the first time ever I’ll be using Chrome. And I’ll probably be sticking with Chrome until they start making screwed up decisions as to support governments instead of its users (hopefully not!).

More comments: 1 2 3 4