Mozilla gets tough after digital certificates hack

Firefox browser distributor Mozilla today gave companies that sell digital certificates a week to take actions to improve their security after a certificate authority (CA) was hacked and Gmail users in Iran were targeted in a recent attack.

When a Web surfer visits a site over a protected SSL (Secure Sockets Layer) connection, the browser provides a visual indication that the site is trusted--a green URL bar or padlock, usually--based on the digital certificate for the site. If the digital certificate, which is used to authenticate a site as legitimate, is revoked or has some other problem, the browser will display a warning.

"Participation in Mozilla's root program is at our sole discretion, and we will take whatever steps are necessary to keep our users safe," Kathleen Wilson, module owner of Mozilla's CA Certificates Module, wrote in a public letter to CAs.

"Nevertheless, we believe that the best approach to safeguard that security is to work with CAs as partners, to foster open and frank communication, and to be diligent in looking for ways to improve," the post said. "Thank you for your participation in this pursuit."

Also today, Adobe said it was in the process of removing the DigiNotar Qualified CA certificate from the Adobe Approved Trust List. In the meantime, the company gave instructions for how to manually remove the certificates from Adobe Reader and Acrobat.

The Mozilla letter comes after Dutch CA DigiNotar revealed last week that it had discovered a breach in its system on July 19 that had enabled someone to issue what turned out to be more than 500 fraudulent certificates, including one that was used to spoof the Google.com domain. Google said the incident primarily affected people in Iran, possibly as many as 300,000, according to a Dutch forensics report.

"Mozilla recently removed the DigiNotar root certificate in response to their failure to promptly detect, contain, and notify Mozilla of a security breach regarding their root and subordinate certificates," Wilson wrote.

She then lists five actions Mozilla wants CAs to take by September 16. They include: auditing the public key infrastructure and checking for intrusion or compromise; providing an inventory of certificates signed by multiple CAs; confirming that multifactor authentication is required for accounts that issue certificates; and confirming that automatic blocks are in place for high-profile domains like Google.com and for manually verifying such requests, when blocked. Mozilla also is requiring technical controls or inventories and other information from third-party CAs.

Wilson did not say what will happen if the four dozen or so CAs it lists as trusted don't meet those requirements in time.

Meanwhile, someone who has taken credit for the DigiNotar hack, as well as breaches of other CAs including GlobalSign, StartCom and Comodo earlier this year, threatened to release more proof of the attacks and to broaden the scope of the next attack.

"This time attack was limited to Iran, next time, I'll own as more as gateways in Israel, USA, Europe, as more as ISPs and attack will run there," the hacker, who goes by the alias Ich Sun, wrote in a post on Pastebin.

The hacker also claimed to have access to GlobalSign's entire server, database backups, and a private key of its own globalsign.com domain, as well as e-mails, database backups and customer data of StartCom, which the hacker promised to publish in the "near future."

Eddy Nigg, chief technology officer at Israel-based StartCom, told CNET he had no comment on the hacker's threat, but confirmed that his firm had been targeted by a hacker earlier in the year. In that incident, someone had tried to issue fraudulent certificates through StartCom for Google and other major Web sites, but had failed, according to a report in June from The Register.

GlobalSign, which stopped issuing certificates after Ich Sun made his claims earlier this week, denied that the hacker has its private key, saying that the GlobalSign CA root was created "offline" and remains offline.

"Any claim of the Comodohacker to holding a private key does not refer to the GlobalSign offline root CA. The investigation also continues," the company said in a statement today. "We deem these claims to represent an industry wide attack."

Meanwhile, GlobalSign plans to start bringing its services back online on Monday, the statement said.

While Comodo and others have suggested that a nation-state is behind the attacks, Ich Sun says he is just a 21-year-old Iranian patriot operating on his own to protest the policies of the U.S. and other countries.

The breaches and spoofing attacks highlight flaws in the underlying structure for Web site authentication, in which more than 600 companies are entrusted to sell digital certificates. The certificates are supposed to serve as proof that a Web site is the site it claims to be when a Web surfer uses an "https" connection. But the companies providing the certificates have differing levels of security and no standard process for automatically revoking fraudulent certificates.

Updated 6:18 p.m. PT with Adobe's plan to remove DigiNotar certificate from Adobe Reader and Acrobat.

Update 11:30 a.m. PT September 9: Apple issued security updates for Snow Leopard and Lion today that addresses the fraudulent DigiNotar certificate issue.