Mozilla requests Firefox CAs to confirm they haven’t been compromised
As Google began notifying users that have been possibly affected by man-in-the-middle attacks through the use of the rogue SSL certificate issued by compromised CA DigiNotar, and instructing them on how to secure their Gmail accounts once again, other companies made some heavy decisions.
Adobe has announced that it was in the process of removing the DigiNotar Qualified CA certificate from the Adobe Approved Trust List (AATL), and Mozilla has issued a request for all CAs – 54 of them, using 147 root certificates – trusted by its Firefox and Thunderbird: “Check your systems and confirm that you haven’t been compromised”.
Kathleen Wilson, the overseer of Mozilla’s CA certificates program, has sent the email to all CAs participating in it, and has asked them to audit their PKI and systems for intrusions; send to Mozilla a complete list of CA certificates from other roots in Mozilla’s program that their roots have cross-signed; confirm that they have automatic blocks in place for high-profile domain names; confirm that the use of multi-factor authentication for all accounts capable of certificate issuance; and perform security checks of or share the list of external third parties (CAs and RAs) that issue certificates.
“Participation in Mozilla’s root program is at our sole discretion, and we will take whatever steps are necessary to keep our users safe,” she concluded, and asked them to send the required information and confirmation by September 16.
As the security community is beginning to search for alternatives for the SSL certificate system, many have pointed towards Convergence, a distributed replacement for the CA system devised by Moxie Marlinspike.
But, according to The Register, Google security researcher Adam Langley said that it’s unlikely that Convergence would be added in Chrome.
“Although the idea of trust agility is great, 99.99% of Chrome users would never change the default settings,” he pointed out. “Indeed, I don’t believe that an option for setting custom notaries would even meet the standards for inclusion in the preferences UI.”
Marlinspike responded by saying that he is aware of the flaws of the solution he developed in his spare time, but that all these problems are solvable if browser vendors get behind the idea and finance it.
In the meantime, GlobalSign – the CA that has been named by the Comodohacker as also compromised and has stopped issuing certificates until it investigates these claims – has announced that it plans to bring some of its services back online on Monday.
“We would like to take the opportunity to explain that the GlobalSign CA root was created offline, and always has been offline,” it added. “Any claim of the Comodohacker to holding a private key does not refer to the GlobalSign offline root CA.”