Security & Privacy

We recently reported about fraudulent SSL certificates issued by DigiNotar, a Dutch certificate authority. The extent of this problem has slowly become apparent, as it was found that the breach was due to “disastrous security” at the company, and the certificates were pulled on browsers but not on smartphones.

The Mozilla Foundation has released Firefox 6.0.2, as well as updates to other programs (Firefox Mobile 6.0.2, Firefox 3.6.22, Thunderbird 6.0.2, Thunderbird 3.1.14 and SeaMonkey 2.3.3) to fix some of the problems relative to these certificates. A previous update blocked DigiNotar’s certificates, but this update distrusts all DigiNotar certificates and several intermediates.

Removing the root as in our previous fix meant the certificates could be considered valid if cross-signed by another Certificate Authority. Importantly this list of distrusted certificates includes the “PKIOverheid” (PKIGovernment) intermediates under DigiNotar’s control that did not chain to DigiNotar’s root and were not previously blocked.

Certificates stolen include some for the CIA, MI6 and Mossad, so this issue is clearly shaking the weak foundation of the SSL protocol, showing how easy it is to circumvent.

So make sure to update Firefox if you use it. We can expect a security update from Apple soon to deal with these same problems.

For even more information about the DigiNotar breach, see Joshua Long’s comprehensive article on How to Revoke Trust for DigiNotar Root CA Certs—Even On Older Macs.