I'd love to come for a drink. Where is the nearest defibrillator? - Mike Magee
|
|
|
Mozilla pressures CAs to audit their own security
FOLLOWING THE RECENT SECURITY BREACH at Dutch certificate authority (CA) Diginotar that resulted in hundreds of rogue certificates being issued by a hacker, Mozilla has instructed all CAs to review the security of their processes and report back on their findings.
Even if the Diginotar breach was mitigated by removing the company's root certificates from Firefox and Thunderbird, Mozilla users are still at risk because the hacker claims to have compromised four more CAs as well, one of them being Globalsign.
His successful attacks against Comodo, Startcom and Diginotar are reason enough to take this threat seriously, so Mozilla has sent an urgent letter to all CAs asking them to take several steps meant to find and mitigate any possible compromises.
"This note requests a set of immediate actions on your behalf, as a participant in the Mozilla root program. [...] Please confirm completion of the following actions or state when these actions will be completed, and provide the requested information no later than September 16, 2011," the organization wrote in its letter.
These actions include auditing their public key infrastructure (PKI) and reviewing their computer systems for signs of intrusion or compromise, the requirement extending to all of their sub-CAs and registration authorities (RAs).
CAs are also asked to provide a list of third-party root certificates they cross-signed and must confirm using multi-factor authentication for all accounts capable of issuing certificates.
Another requirement is to enforce automatic blocks for the issuing of certificates for high-profile domains, like those targeted in the Diginotar and Comodo attacks. The manual verification process for the blocked requests must also be described.
Finally, for each CA and RA that is part of its hierarchy, a certificate authority must implement controls that restrict certificate issuance powers to only the set of domains they are authorized to act for. The list of such third-party organizations must be submitted back to Mozilla along with copies of their certificate policies, practices and compliance documentation.
The software vendor is ready to take drastic measures if its requests are not met. "Participation in Mozilla's root program is at our sole discretion, and we will take whatever steps are necessary to keep our users safe," it wrote.
Meanwhile, Adobe is following in the footsteps of Mozilla, Google and Microsoft and is removing all Diginotar root certificates from its Adobe Approved Trust List (AATL). The AATL is only used in Adobe Reader and Acrobat and can be modified manually by following instructions published by the company. µ
Share this:
Share
As admitted by Comodohacker, his attempt was foiled by "Lucy Eddy", Startcom's CEO, who was doing manual verification at the time and had stopped him from getting in.
BTW why are the cacert.org root certificates still not included with Mozilla? After so many years?
Cacert.org offers free certificates issued to you by the CAcert Community (the users) worldwide. For instance, the Gentoo Linux web site uses cacert.org certificates.
Chris's comment about all browser users being at risk is correct, especially Safari, since Apple apparently have done nothing on their end.
However, this article is specifically about what steps Mozilla are taking to protect their user base, and thus, in context, I don't see the "Mozilla users are still at risk" comment as out of line. If anything, it kinda looks like a "kudos" article to Mozilla for actually having the stones to do something to protect their users.
--SYG
You make it sound like only FF and TBird users are 'at risk'. All Browser users are at risk.