Mozilla calls for web wide security check
- 9 September 2011
- From the section Technology
Web certificate authorities have been told to audit their security or risk being dumped from Firefox by the browser's developer Mozilla.
The demand follows a breach at Dutch certificate issuer DigiNotar which led to scores of bogus authentications being created.
Belgian security firm GlobalSign also stopped issuing new certificates amid fears it too may have been compromised.
Mozilla wants proof that other companies have protected their systems.
It also wants to know what steps the issuers take when certificates are issued to make sure fakes are not being generated.
The security certificates issued by DigiNotar and many others act as an identity guarantee so people can be sure that the site or service they are connecting to is what it claims to be.
Typically users will notice that a certificate is being used by the appearance of a padlock icon, or the https prefix.
By penetrating DigiNotar's network and issuing fake certificates, hackers could pose as anyone they want and get at confidential messages or steal saleable data.
The attack on DigiNotar seems to have originated in Iran and put at risk about 300,000 people who use Gmail in that country, according to an interim report into the breach.
The hacker who carried out the DigiNotar attack, plus one on another security certificate firm, Comodo, earlier in 2011, bragged that he had access to four other CAs. This led to security checks at GlobalSign, one firm mentioned in the message.
In issuing its demand for audits, Mozilla said it reserved the right to revoke certificates recognised by Firefox.
Kathleen Wilson, head of Mozilla's security certificate group, said that working with Firefox was at its "sole discretion".
"We will take whatever steps are necessary to keep our users safe," wrote Ms Wilson.
If a certificate issuer is boycotted it could mean many users see pop-up warnings when trying to securely buy goods online or send messages.
Mozilla has already issued updates for Firefox to revoke DigiNotar certificates. Microsoft and Google have taken similar action with Chrome. Apple has yet to issue an update for Safari.
Google has also moved to contact those who may have had their email communications spied upon as a result of the DigiNotar hack.