Burned by DigiNotar, Mozilla tells cert cops to audit security

[InfoSec News <alerts () infosecnews org>]

http://www.theregister.co.uk/2011/09/08/mozilla_certificate_authority_audit/

By Dan Goodin in San Francisco
The Register
8th September 2011

Mozilla has directed all web authentication authorities trusted by its 
software to conduct security audits to ensure they aren't being abused 
to issue counterfeit secure sockets layer certificates.

Thursday's note from Kathleen Wilson, who oversees the certificate 
authorities included in the Firefox browser and Thunderbird email 
client, gives all participants eight days to confirm their systems are 
secure from the same type of compromise that recently hit 
Netherlands-based DigiNotar. Hackers penetrated the authority's 
certificate issuance systems and minted at least 531 counterfeit 
credentials, including one for a Google.com that was used to spy on 
Iranians accessing their Gmail accounts.

“Mozilla recently removed the DigiNotar root certificate in response to 
their failure to promptly detect, contain, and notify Mozilla of a 
security breach regarding their root and subordinate certificates,” 
Wilson wrote. “If you ever have reason to suspect a security breach or 
mis-issuance has occurred at your CA or elsewhere, please contact 
[Mozilla] immediately.”

DigiNotar's omissions came as a personal affront to Mozilla, since one 
of the domains they imperiled was https://addons.mozilla.org/, home of 
tens of thousands of addons that add powerful capabilities to the 
default versions of Firefox and Thunderbird.

[...]

_____________________________________________________________
Register now for the #HITB2011KUL - Asia's premier
deep-knowledge network security event now in it's 9th year!
http://conference.hitb.org/hitbsecconf2011kul/