Mozilla has decided that once broken trust isn't easily restored. Today, the open-source developer of Firefox issued an ultimatum to certificate authorities, in wake of the spreading damage caused by the DigiNor hack. Certificates like those DigiNor and other CAs issue are the backbone of Internet trust. That lock you see in the browser represents security and trust in the website where transactions occur. But third-parties issue the certificates, presumably being more trustworthy than your local bank or other online service.
The hacker claiming to have broken into DigiNor, who goes by handle COMODOHACKER, also claims to have breached four other CAs and issued at least 531 rogue certificates. Major browser developers -- Microsoft among them have banned DigiNor and dispatched updates to block rogue certificates.
Mozilla is going further, by demanding CAs provide certain assurances and also make changes to restore the organization's trust in them and the certificates they issue. Mozilla set a September 16 deadline. The aggressive posture is meant to restore trust, and for good reason. News about the DigiNor hacks increases every day. Once afraid, people aren't quite to trust.
Kathleen Wilson, module owner of Mozilla's CA Certificates Module, writes in the letter:
"Dear Certification Authority,
This note requests a set of immediate actions on your behalf, as a participant in the Mozilla root program.
Mozilla recently removed the DigiNotar root certificate in response to their failure to promptly detect, contain, and notify Mozilla of a security breach regarding their root and subordinate certificates. If you ever have reason to suspect a security breach or mis-issuance has occurred at your CA or elsewhere, please contact secur...@mozilla.org immediately.
Please confirm completion of the following actions or state when these actions will be completed, and provide the requested information no later than September 16, 2011:
1. Audit your PKI and review your systems to check for intrusion or compromise. This includes all third party CAs and RAs.
2. Send a complete list of CA certificates from other roots in our program that your roots (including third party CAs and RAs) have cross-signed. A listing of all root certificates in Mozilla's products is here.
3. Confirm that multi-factor authentication is required for all accounts capable of directly causing certificate issuance.
4. Confirm that you have automatic blocks in place for high-profile domain names (including those targeted in the DigiNotar and Comodo attacks this year). Please further confirm your process for manually verifying such requests, when blocked.
5. For each external third party (CAs and RAs) that issues certificates or can directly cause the issuance of certificates within the hierarchy of the root certificate(s) that you have included in Mozilla products, either:
a) Implement technical controls to restrict issuance to a specific set of domain names which you have confirmed that the third party has registered or has been authorized to act for (e.g. RFC5280 x509 dNSName name constraints, marked critical).
OR
b) Send a complete list of all third parties along with links to each of their corresponding Certificate Policy and/or Certification Practice Statement and provide public attestation of their conformance to the stated verification requirements and other operational criteria by a competent independent party or parties with access to details of the subordinate CA's internal operations.
Each action requested above applies both to your root and to these third parties.
Participation in Mozilla's root program is at our sole discretion, and we will take whatever steps are necessary to keep our users safe. Nevertheless, we believe that the best approach to safeguard that security is to work with CAs as partners, to foster open and frank communication, and to be diligent in looking for ways to improve. Thank you for your participation in this pursuit.
Regards,
Kathleen Wilson
Module Owner of Mozilla's CA Certificates Module"
Photo Credit: Lichtmeister/Shutterstock