Mozilla wants all certificate authorities it supports in Firefox and in Thunderbird software to verify its systems are secure and to put in some manual controls.
After a
cyber-attacker bragged online about having compromised Dutch certificate
authority DigiNotar and several others, Mozilla has demanded the companies
audit their systems to ensure they haven't been breached.
Mozilla wants
the certificate authorities it recognizes in its software, including the likes
of Symantec, Verizon and Go Daddy, to audit their
systems to ensure they have not been compromised, Mozilla Certificate Authority Certificates Module
owner Kathleen Wilson said in a Sept. 8 email.
The audit needs
to confirm that nobody can issue a digital certificate for a site without
two-factor authentication and that security processes are in place with any
resellers or other partners who can issue certificates with the CA's root key,
according to the email, which was posted on a Mozilla security discussion
forum.
The CAs also
must have "automatic blocks in place for high-profile domain names,"
Wilson wrote. Putting manual verification in place would make it harder for
attackers to issue fraudulent Secure Sockets Layer (SSL) certificates for
popular and high-traffic sites, such as Microsoft, Google and Yahoo, which were
targeted in both the Comodo and DigiNotar attacks thus far this year. The fake
certificates for Google and Facebook from DigiNotar may have affected 300,000
Iranian users in the past month as part of a man-in-the-middle attack.
"Please
further confirm your process for manually verifying such requests, when
blocked," Wilson wrote.
The most worrying
part of the claim made by "Comodohacker" in the statement posted Sept.
5 on text-sharing site Pastebin was the fact that the attacker still had access
to the compromised systems and can still issue certificates.
"Comodohacker" claims to have been behind the breaches on multiple
Comodo resellers earlier this year and on DigiNotar in June. Comodohacker
claimed to have compromised DigiNotar and four other certificate authorities (CAs),
including GlobalSign.
"I have
access to their entire server...BUT YOU HAVE TO HEAR SO MUCH MORE! SO MUCH
MORE! At least 3 more, AT LEAST! Wait and see," according to the post.
While all Comodo-signed
certificates had been revoked almost immediately after they were issued, many
of the fake certificates issued by DigiNotar have not yet been revoked. The
company initially claimed that "dozens" of certificates were
fraudulently issued. That number has ballooned to over 500 after an audit by
digital forensics firm Fox-IT.
GlobalSign
suspended issuing digital certificates after the post appeared and hired Fox-IT
to perform a security audit. The Belgian company said on its Twitter feed that
it plans to resume issuing certificates on Sept. 12.
Email
Print
