Mozilla Feels Remorse Over Keeping Mum About SSL Certificate Theft

By | March 25, 2011

Mozilla Feels Remorse Over Keeping Mum About SSL Certificate TheftAttackers utilized genuine passwords and usernames to get a hold of nine SSL certificates on the 15th of March via a Comodo certificate reseller. What SSL certificates do is basically prove the authenticity of a site. The log-on websites affected were Yahoo Mail, Google’s Gmail, Microsoft’s Hotmail, Skype, as well as Mozilla’s Firefox extension website.

Comodo revoked the certificates and brought the matter to the attention of Mozilla, Google, and Microsoft between the 15th and the 23rd of March. The breach of its reseller and the theft of the SSL certificates were announced on the 23rd of this month.

Patches to add the stolen certificates to browsers’ blacklists in case users visited fake sites boasting the certificates were first issued on the 17th of March by Google. Mozilla and Microsoft followed shortly on the 22nd and the 23rd respectively.

According to Comodo, evidence points towards the Iranian government being involved. The company continued to speculate that the certificates were intended for the setting up of fake websites so as to identity activists and monitor their digital communications.

The Comodo hack or the existence of the rogue certificates were not not made public before the 22nd of March by any of the browser makers.

Mozilla did not publish the information we received prior to shipping a patch,” the company acknowledged in a Friday entry on its security blog. “In early discussions, we were concerned that any indication that we knew about the attack would lead to attackers blocking our security updates as well.

Mozilla today announced that this was a bad move.

In hindsight, while it was made in good faith, this was the wrong decision. We should have informed Web users more quickly about the threat and the potential mitigations as well as their side-effects.

Source: Computerworld

About (Author Profile)

Being passionate about software, Armin joined in early 2011 and has been actively writing ever since. Having accepted the challenge, he also enjoys watching anime, indulging in good books, staying fit and healthy, and trying new things.

Comments (4)

Trackback URL | Comments RSS Feed

  1. For how much they charge for those certificates you’d think they have better security in place.
    Getting a Gmail certificate requires only a password??? Lies to cover their stupidity.

  2. Armin says:

    On a side note, Comodo is a browser maker itself. :P

  3. greenbutter says:

    vygantas, why dont you try doinf articles on comodo?
    maybe it’ll be interesting to see how it fares among other competitive browsers.

    • Sarjoor says:

      Do you mean how Comodo Dragon fares browser-wise or security-wise?

      Browser-wise, I don’t think it’s any better than Chromium/Chrome, but it’s just a copy of Chromium, with just graphics and color changes. I know Dragon came out quite some time ago. Has Dragon’s browser-side codebase kept up with Chromium updates? If not, I don’t think Dragon will fare well, browser-wise.

      But Comodo Dragon is supposed to be “infused with Comodo’s unparalleled level of security” with their security enhancements. Anyone have any details about Dragon security-wise?