SSL meltdown: Mozilla admits mistakes in its information policy
Although Mozilla recently responded to the compromising of Comodo's Certificate Authority by issuing Firefox 4 as well as updates for Firefox 3.5/3.6, the non-profit organisation hardly published any of its own information concerning the incident. In a blog posting, Mozilla has now provided further information and said that a previous decision not to release information was a mistake.
The authors of the Mozilla blog post write that Comodo had already notified Mozilla about the threat on the morning of 16 March. Mozilla said that it responded by incorporating a blacklist and releasing Firefox 4 as well as updated versions 3.5 and 3.6 on 22 March.
As soon as the patched versions were released, Mozilla said it made a release announcement with some details of the problem. The developers said that they were concerned though that the attackers could block the security measures they just implemented. However, in hindsight Mozilla admits that this was the wrong decision to make: "We should have informed web users more quickly about the threat and the potential mitigations as well as their side-effects", said the developers.
Mozilla also said that it requested that Comodo publish a full account of exactly what happened, monitor the Online Certificate Status Protocol (OCSP) for evidence of the use of these certificates, and cancel all relationships with the Registration Authority (RA) concerned. According to Mozilla, Comodo is complying with all three requests. Reportedly, no sign of use or blocking of the certificates in question has so far been registered from the monitoring of the OCSP requests. Mozilla also requested that Comodo change their practices to use intermediate certificates rather than issuing directly off the root, and that they use a different certificate for each RA as it is concerned by the amount of trust Comodo has placed in "RAs whose network security they did not oversee".
- SSL meltdown: a cyber war attack?, a report from The H.