Results 1 to 3 of 3
  1. #1
    3 Star Lounger WildcatRay's Avatar
    Join Date
    Feb 2010
    Location
    Columbus, OH
    Posts
    205
    Thanks
    16
    Thanked 7 Times in 7 Posts

    Update your browsers because of fraudulent certificates

    The Why:
    DigiNotar Removal Follow Up

    09.02.11 - 06:28pm

    Earlier this week we revoked our trust in the DigiNotar certificate authority from all Mozilla software. This is not a temporary suspension, it is a complete removal from our trusted root program. Complete revocation of trust is a decision we treat with careful consideration, and employ as a last resort.

    Three central issues informed our decision:

    1) Failure to notify. DigiNotar detected and revoked some of the fraudulent certificates 6 weeks ago without notifying Mozilla. This is particularly troubling since some of the certificates were issued for our own addons.mozilla.org domain.

    2) The scope of the breach remains unknown. While we were initially informed by Google that a fraudulent *.google.com certificate had been issued, DigiNotar eventually confirmed that more than 200 certificates had been issued against more than 20 different domains. We now know that the attackers also issued certificates from another of DigiNotar’s intermediate certificates without proper logging. It is therefore impossible for us to know how many fraudulent certificates exist, or which sites are targeted.

    3) The attack is not theoretical. We have received multiple reports of these certificates being used in the wild.

    Mozilla has a strong history of working with CAs to address shared technical challenges, as well as responding to and containing breaches when they do arise. In an incident earlier this year we worked with Comodo to block a set of mis-issued certificates that were detected, contained, and reported to us immediately. In DigiNotar’s case, by contrast, we have no confidence that the problem had been contained. Furthermore, their failure to notify leaves us deeply concerned about our ability to protect our users from future breaches.
    Link to the complete article.

    If you do not use Mozilla software like Firefox or Thunderbird, check with your program's technical support function.

    For Firefox and Thunderbird, the most recent releases with the DigiNotar certificates revoked are both 6.0.1. (I know there are still older supported releases, but it is best that most users update to the latest releases which is why I am not mentioning them here.)

    EDIT: See my post below
    Last edited by WildcatRay; 2011-09-06 at 14:48.

  2. The Following User Says Thank You to WildcatRay For This Useful Post:

    aczer (2011-09-07)

  3. #2
    3 Star Lounger WildcatRay's Avatar
    Join Date
    Feb 2010
    Location
    Columbus, OH
    Posts
    205
    Thanks
    16
    Thanked 7 Times in 7 Posts
    Firefox is now up to version 6.0.2 for the above referenced issue regarding fraudulent certifications. See here for more information.

  4. #3
    3 Star Lounger WildcatRay's Avatar
    Join Date
    Feb 2010
    Location
    Columbus, OH
    Posts
    205
    Thanks
    16
    Thanked 7 Times in 7 Posts
    For more information about the fraudulent certificates issue, see Susan Bradley's article about it.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •