Mozilla eyes changes 'to keep our users safe'

In the wake of problems involving faked certificates, the browser maker wants certificate authorities to adopt a standard on baseline requirements to ensure trustworthiness.

Darren Pauli

Mozilla is reviewing a final draft of its baseline policies to address problems in the way that Internet certificates are issued.

The browser maker wants certificate authorities (CAs) that issue certificates to adopt a standard that's been dubbed "Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates" (PDF), published by the Certificate and Browser Forum and still in a final draft.

Mozilla consultant Kathleen Wilson said on a Mozilla development forum that CAs will have until May 25 to review the draft.

She said that from June 30, Mozilla software will refuse certificates signed with the troubled MD5 hash algorithm for intermediate and end-entity CAs, and "will take this action earlier and at its sole discretion if necessary to keep our users safe."

In late 2008, security researchers had already exploited weaknesses in the MD5 algorithm to forge fake certificates.

Related links
Comodo hack may reshape browser security
Why browsers differ on Web sites' safety
Google, Yahoo, Skype targeted in attack linked to Iran

Read more of "Mozilla drafts changes to certificate policy" at ZDNet Australia.