Mozilla calls for web wide security check

Open padlock, BBC Mozilla wants to be sure that security firms are not leaving themselves vulnerable to attack.

Related Stories

Web certificate authorities have been told to audit their security or risk being dumped from Firefox by the browser's developer Mozilla.

The demand follows a breach at Dutch certificate issuer DigiNotar which led to scores of bogus authentications being created.

Belgian security firm GlobalSign also stopped issuing new certificates amid fears it too may have been compromised.

Mozilla wants proof that other companies have protected their systems.

Attack pattern

Security certificate issuers have been given until 16 September to demonstrate to Mozilla that their internal networks have not been compromised.

It also wants to know what steps the issuers take when certificates are issued to make sure fakes are not being generated.

The security certificates issued by DigiNotar and many others act as an identity guarantee so people can be sure that the site or service they are connecting to is what it claims to be.

Typically users will notice that a certificate is being used by the appearance of a padlock icon, or the https prefix.

By penetrating DigiNotar's network and issuing fake certificates, hackers could pose as anyone they want and get at confidential messages or steal saleable data.

The attack on DigiNotar seems to have originated in Iran and put at risk about 300,000 people who use Gmail in that country, according to an interim report into the breach.

The hacker who carried out the DigiNotar attack, plus one on another security certificate firm, Comodo, earlier in 2011, bragged that he had access to four other CAs. This led to security checks at GlobalSign, one firm mentioned in the message.

In issuing its demand for audits, Mozilla said it reserved the right to revoke certificates recognised by Firefox.

Kathleen Wilson, head of Mozilla's security certificate group, said that working with Firefox was at its "sole discretion".

"We will take whatever steps are necessary to keep our users safe," wrote Ms Wilson.

If a certificate issuer is boycotted it could mean many users see pop-up warnings when trying to securely buy goods online or send messages.

Mozilla has already issued updates for Firefox to revoke DigiNotar certificates. Microsoft and Google have taken similar action with Chrome. Apple has yet to issue an update for Safari.

Google has also moved to contact those who may have had their email communications spied upon as a result of the DigiNotar hack.

More on This Story

Related Stories

The BBC is not responsible for the content of external Internet sites

More Technology stories

RSS

Features

  • ScissorsWithout Scotland?

    How might things change for the rest of the UK?


  • Diagrams showing bowler and batsmanAnyone for Vigoro?

    The bizarre Edwardian attempt to merge tennis and cricket


  • Payton McKinnonKilling heat

    Why so many American children die in hot cars


  • Dr Mahinder Watsa Dr Sex

    The wisecracking 90-year-old whose agony column is a cult hit


  • Prince George and the Duke and Duchess of Cambridge outside St Mary'sIn pictures

    Prince George has had an eventful first year


BBC © 2014 The BBC is not responsible for the content of external sites. Read more.

This page is best viewed in an up-to-date web browser with style sheets (CSS) enabled. While you will be able to view the content of this page in your current browser, you will not be able to get the full visual experience. Please consider upgrading your browser software or enabling style sheets (CSS) if you are able to do so.