Earlier this week we revoked our trust in the DigiNotar certificate authority from all Mozilla software. This is not a temporary suspension, it is a complete removal from our trusted root program. Complete revocation of trust is a decision we treat with careful consideration, and employ as a last resort.
Three central issues informed our decision:
1) Failure to notify. DigiNotar detected and revoked some of the fraudulent certificates 6 weeks ago without notifying Mozilla. This is particularly troubling since some of the certificates were issued for our own addons.mozilla.org domain.
2) The scope of the breach remains unknown. While we were initially informed by Google that a fraudulent *.google.com certificate had been issued, DigiNotar eventually confirmed that more than 200 certificates had been issued against more than 20 different domains. We now know that the attackers also issued certificates from another of DigiNotar’s intermediate certificates without proper logging. It is therefore impossible for us to know how many fraudulent certificates exist, or which sites are targeted.
3) The attack is not theoretical. We have received multiple reports of these certificates being used in the wild.
Mozilla has a strong history of working with CAs to address shared technical challenges, as well as responding to and containing breaches when they do arise. In an incident earlier this year we worked with Comodo to block a set of mis-issued certificates that were detected, contained, and reported to us immediately. In DigiNotar’s case, by contrast, we have no confidence that the problem had been contained. Furthermore, their failure to notify leaves us deeply concerned about our ability to protect our users from future breaches.
Staat der Nederlanden Certificates
DigiNotar issues certificates as part of the Dutch government’s PKIoverheid (PKIgovernment) program. These certificates are issued from a different DigiNotar-controlled intermediate, and chain up to the Dutch government CA (Staat der Nederlanden). The Dutch government’s Computer Emergency Response Team (GovCERT) indicated that these certificates are issued independently of DigiNotar’s other processes and that, in their assessment, these had not been compromised. The Dutch government therefore requested that we exempt these certificates from the removal of trust, which we agreed to do in our initial security update early this week.
The Dutch government has since audited DigiNotar’s performance and rescinded this assessment. We are now removing the exemption for these certificates, meaning that all DigiNotar certificates will be untrusted by Mozilla products. We understand that other browser vendors are making similar changes. We’re also working with our Dutch localizers and the Bits of Freedom group in the Netherlands to contact individual site operators using affected certificates (based on the EFF’s SSL Observatory data).
The integrity of the SSL system cannot be maintained in secrecy. Incidents like this one demonstrate the need for active, immediate and comprehensive communication between CAs and software vendors to keep our collective users safe online.
Johnathan Nightingale
Director of Firefox Engineering
Michichael wrote on
Ferdinand wrote on
ocrete wrote on
biscuit town wrote on
d2 wrote on
Daniel Veditz wrote on
ldpreload wrote on
Gervase Markham wrote on
Fredrick Rybarczyk wrote on
Doublehypocrite wrote on
Martin wrote on
Ramón Antonio wrote on
anonymous wrote on
SteveL wrote on
alex wrote on
Ken Dawber wrote on
Jasem wrote on
jmdesp wrote on
Blah wrote on
muddybulldog wrote on
Dave wrote on
Thaddy wrote on
Jeroen wrote on
colfer wrote on
Daniel Veditz wrote on
Daniel Veditz wrote on
piet wrote on
Daniel Veditz wrote on
Thaddy wrote on
Name wrote on
Bob Relyea wrote on
Thaddy wrote on
thaddy wrote on
Boris wrote on
Alex Bishop wrote on
colfer wrote on
Metasansana wrote on
rbdg wrote on
Hay wrote on
Robert wrote on
Dave wrote on
David Bernier wrote on
David Bernier wrote on
Ingo Kresse wrote on
Daniel Veditz wrote on
Daniel Veditz wrote on
jmdesp wrote on
petr_p wrote on
gebruiker wrote on
Nima wrote on
brian wrote on
David W wrote on
Mad Cow wrote on
Everyone wrote on
amib wrote on
Yield wrote on
ER wrote on
shahin wrote on
sherry wrote on
Daniel Veditz wrote on
Fred5 wrote on
Fred5 wrote on
smo wrote on
Lars V wrote on
Lars V wrote on
Shahin wrote on
Peter Besenbruch wrote on
Daniel Veditz wrote on
Daniel Veditz wrote on
Mohamed wrote on