Mozilla Feels Remorse Over Keeping Mum About SSL Certificate Theft

Attackers utilized genuine passwords and usernames to get a hold of nine SSL certificates on the 15th of March via a Comodo certificate reseller. What SSL certificates do is basically prove the authenticity of a site. The log-on websites affected were Yahoo Mail, Google’s Gmail, Microsoft’s Hotmail, Skype, as well as Mozilla’s Firefox extension website.

Comodo revoked the certificates and brought the matter to the attention of Mozilla, Google, and Microsoft between the 15th and the 23rd of March. The breach of its reseller and the theft of the SSL certificates were announced on the 23rd of this month.

Patches to add the stolen certificates to browsers’ blacklists in case users visited fake sites boasting the certificates were first issued on the 17th of March by Google. Mozilla and Microsoft followed shortly on the 22nd and the 23rd respectively.

According to Comodo, evidence points towards the Iranian government being involved. The company continued to speculate that the certificates were intended for the setting up of fake websites so as to identity activists and monitor their digital communications.

The Comodo hack or the existence of the rogue certificates were not not made public before the 22nd of March by any of the browser makers.

Mozilla did not publish the information we received prior to shipping a patch,” the company acknowledged in a Friday entry on its security blog. “In early discussions, we were concerned that any indication that we knew about the attack would lead to attackers blocking our security updates as well.

Mozilla today announced that this was a bad move.

In hindsight, while it was made in good faith, this was the wrong decision. We should have informed Web users more quickly about the threat and the potential mitigations as well as their side-effects.

Source: Computerworld