Mozilla calls for web wide security check

Open padlock, BBC Mozilla wants to be sure that security firms are not leaving themselves vulnerable to attack.

Related Stories

Web certificate authorities have been told to audit their security or risk being dumped from Firefox by the browser's developer Mozilla.

The demand follows a breach at Dutch certificate issuer DigiNotar which led to scores of bogus authentications being created.

Belgian security firm GlobalSign also stopped issuing new certificates amid fears it too may have been compromised.

Mozilla wants proof that other companies have protected their systems.

Attack pattern

Security certificate issuers have been given until 16 September to demonstrate to Mozilla that their internal networks have not been compromised.

It also wants to know what steps the issuers take when certificates are issued to make sure fakes are not being generated.

The security certificates issued by DigiNotar and many others act as an identity guarantee so people can be sure that the site or service they are connecting to is what it claims to be.

Typically users will notice that a certificate is being used by the appearance of a padlock icon, or the https prefix.

By penetrating DigiNotar's network and issuing fake certificates, hackers could pose as anyone they want and get at confidential messages or steal saleable data.

The attack on DigiNotar seems to have originated in Iran and put at risk about 300,000 people who use Gmail in that country, according to an interim report into the breach.

The hacker who carried out the DigiNotar attack, plus one on another security certificate firm, Comodo, earlier in 2011, bragged that he had access to four other CAs. This led to security checks at GlobalSign, one firm mentioned in the message.

In issuing its demand for audits, Mozilla said it reserved the right to revoke certificates recognised by Firefox.

Kathleen Wilson, head of Mozilla's security certificate group, said that working with Firefox was at its "sole discretion".

"We will take whatever steps are necessary to keep our users safe," wrote Ms Wilson.

If a certificate issuer is boycotted it could mean many users see pop-up warnings when trying to securely buy goods online or send messages.

Mozilla has already issued updates for Firefox to revoke DigiNotar certificates. Microsoft and Google have taken similar action with Chrome. Apple has yet to issue an update for Safari.

Google has also moved to contact those who may have had their email communications spied upon as a result of the DigiNotar hack.

More on This Story

Related Stories

The BBC is not responsible for the content of external Internet sites

More Technology stories



  • Mukesh SinghNo remorse

    Delhi bus rapist says victim shouldn't have fought back

  • Aimen DeanI spied

    The founder member of al-Qaeda who worked for MI6

  • Before and after shotsPerfect body

    Just how reliable are 'before and after' photos?

  • Lotus 97T driven by Elio de AngelisBeen and gone

    A champion F1 designer and other notable losses

  • A poster of Boris Nemtsov at a rally in St Petersburg, Russia, 1 MarchWho killed Nemtsov?

    Theories abound over murder that shocked Moscow

Try our new site and tell us what you think. Learn more
Take me there

Copyright © 2015 BBC. The BBC is not responsible for the content of external sites. Read more.

This page is best viewed in an up-to-date web browser with style sheets (CSS) enabled. While you will be able to view the content of this page in your current browser, you will not be able to get the full visual experience. Please consider upgrading your browser software or enabling style sheets (CSS) if you are able to do so.