Mozilla Demands All CAs Audit Security in Light of DigiNotar SSL Breach

Mozilla wants all certificate authorities it supports in Firefox and in Thunderbird software to verify its systems are secure and to put in some manual controls.

After a cyber-attacker bragged online about having compromised Dutch certificate authority DigiNotar and several others, Mozilla has demanded the companies audit their systems to ensure they haven't been breached.

Mozilla wants the certificate authorities it recognizes in its software, including the likes of Symantec, Verizon and Go Daddy, to audit their systems to ensure they have not been compromised, Mozilla Certificate Authority Certificates Module owner Kathleen Wilson said in a Sept. 8 email.

The audit needs to confirm that nobody can issue a digital certificate for a site without two-factor authentication and that security processes are in place with any resellers or other partners who can issue certificates with the CA's root key, according to the email, which was posted on a Mozilla security discussion forum.

The CAs also must have "automatic blocks in place for high-profile domain names," Wilson wrote. Putting manual verification in place would make it harder for attackers to issue fraudulent Secure Sockets Layer (SSL) certificates for popular and high-traffic sites, such as Microsoft, Google and Yahoo, which were targeted in both the Comodo and DigiNotar attacks thus far this year. The fake certificates for Google and Facebook from DigiNotar may have affected 300,000 Iranian users in the past month as part of a man-in-the-middle attack.

"Please further confirm your process for manually verifying such requests, when blocked," Wilson wrote.

The most worrying part of the claim made by "Comodohacker" in the statement posted Sept. 5 on text-sharing site Pastebin was the fact that the attacker still had access to the compromised systems and can still issue certificates. "Comodohacker" claims to have been behind the breaches on multiple Comodo resellers earlier this year and on DigiNotar in June. Comodohacker claimed to have compromised DigiNotar and four other certificate authorities (CAs), including GlobalSign.

"I have access to their entire server...BUT YOU HAVE TO HEAR SO MUCH MORE! SO MUCH MORE! At least 3 more, AT LEAST! Wait and see," according to the post.

While all Comodo-signed certificates had been revoked almost immediately after they were issued, many of the fake certificates issued by DigiNotar have not yet been revoked. The company initially claimed that "dozens" of certificates were fraudulently issued. That number has ballooned to over 500 after an audit by digital forensics firm Fox-IT.

GlobalSign suspended issuing digital certificates after the post appeared and hired Fox-IT to perform a security audit. The Belgian company said on its Twitter feed that it plans to resume issuing certificates on Sept. 12.