Forgot your password?
typodupeerror
Mozilla Security The Internet Technology

Mozilla Says It Erred On SSL Attack Disclosure 62

Posted by Soulskill
from the comodo-draggin-their-feet dept.
Trailrunner7 writes "Just days after news emerged of the attack on a registration authority in Europe tied to Comodo that caused the revocation of a number of fraudulent certificates from the major browsers, Mozilla officials have admitted they made a mistake by not disclosing the details of the incident to its users earlier. 'In hindsight, while it was made in good faith, this was the wrong decision. We should have informed web users more quickly about the threat and the potential mitigations as well as their side-effects.'"
This discussion has been archived. No new comments can be posted.

Mozilla Says It Erred On SSL Attack Disclosure

Comments Filter:
  • when there is no other widely accepted way to verify a website's identity.
    • by rb12345 (1170423)

      Removing or disabling the affected CA in the browser would be a simple enough workaround in this case, although you'd then have to trust individual certificates by hand. If previously seen certificates could be trusted directly, without fully trusting the CA, that would be even better. For example, I could trust that the existing Google certificates are good, but no longer trust the CA certificate that signed them.

      You'd probably want separate levels of trust, so that certificate revocations would still

    • There's DNSSEC, which more and more ISP's and registries support. Then, if someone managed to hijack a certificate he/she would also have to spoof google's IP.
      • There's DNSSEC, which more and more ISP's and registries support. Then, if someone managed to hijack a certificate he/she would also have to spoof google's IP.

        Here here! The difference the CAs will tell you is they verify and identify the organization rather than the domain name...

        Poser = "mcdnalds.com"
        Ronald = "mcdonalds.com"

        The reality seems to be more CAs continue to make the process easier and easier to increasingly enrich themselves without having to do much to show for it in return... Now many offer a completely automated process to instantly obtain a cert...WTF?!?!?!

        In my view the system would be better off if we all got SSL certs with our DNS names and t

  • I don't see what the big deal is. Everybody knew about this vulnerability as soon as Microsoft told them about it anyhow.

    • Re: (Score:3, Insightful)

      by Anonymous Coward

      Yeah except if the situation had been reversed and Microsoft had done what Mozilla did. Then there would be pitchforks about how Microsoft was being evil. But, no, this time it was Mozilla and they can just do no wrong.

      • Yet apparently they say they can.
      • by hedwards (940851)

        It's fundamental different when it's an isolated incident versus the standard operating procedure. MS wouldn't be getting anywhere near as much crap if it was just one vulnerability from time to time as they now that it's pretty much every vulnerability.

        Plus, MS doesn't typically admit screwing up for doing it either.

        • by UBfusion (1303959)

          Since you seem to know the internal workings of MS, have they ever issued a patch to remove fraudulent or "defective" root CAs? Is any of those hundreds of OS updates I have on my PC SSL-related?

  • Can anyone explain to me why the whole SSL system isn't fundamentally broken in the first place? And by "fundamentally broken" I mean that it seems like trusting Certificate Authorities to vouch for people seems little different than trusting any random stranger.

    On the other hand, of course, what choice do I have if I want to do something useful online? It's not like I can call up my bank president and make him pinky swear that if anybody sniffs my login credentials and steals all my money he'll reimburse

    • by UBfusion (1303959)

      I'm not a security expert and my crypto knowledge is limited. But from what I can understand, the general principle here is that trusting somebody unknown is considered more dangerous than not trusting somebody you know. In addition, the meaning of "trust" in the SSL context is that "you can trust me that anything that happens between me and you is encrypted, will stay between you and me, and nobody else can hear us". It's not "trust me, visiting my website won't harm your computer or your person". There ha

      • by Anonymous Coward

        SSL seems fundamentally broken because it is.

        Say a site devoted to dissidents, purchases a cert signing from some CA like Verisign.

        Now, say your government, someone else's gov't, or some random corp has its own CA that is trusted by your browser. This government/corp wants to spy on your activity, so they gen a cert for dissidentsRus.org, and setup a transparent proxy to intercept your traffic. While they are at it, they setup the same for your bank.

        Now, you visit dissidentsRus.org, and nothing looks odd

        • This makes more sense than the parent. So either wisdom comes from anonymous cowards, or I'm paranoid; I'm not sure which.

    • by amorsen (7485)

      SSL is fundamentally broken. It only allows one signature of a certificate. If it allowed multiple signatures, anyone could sign the certificate, and you could do stuff like check if your friends trust this certificate, or whether your bank does, and so on. Just like PGP/GPG.

      Sensible sites would get their certificates signed by multiple authorities, and this would make it possible for browser users to disable e.g. Comodo certificates without losing access to a significant part of the WWW.

  • Good on them (Score:5, Insightful)

    by BlueParrot (965239) on Friday March 25, 2011 @04:46PM (#35616468)

    Admitting it was a mistake rather than coming up with some bogus excuse gives them points in my book. Whether the decision was by marketing or just company policy it at least suggests they have one or two competent people over there.

    • Admitting it was a mistake rather than coming up with some bogus excuse gives them points in my book.

      I agree, however they should also be open about the punishment given to those responsible. A lethal SQL injection perhaps?

  • Why is everyone so afraid of being open? Maybe it's just part of the human condition.

    We have little hope if even Mozilla leans towards nondisclosure.

    • by jd (1658)

      Few things that are supposed to be "human condition" really are. That's usually just an excuse to not dig deeper. In this case, Mozilla happened to "err" on the side of non-disclosure just about the time it was releasing a new browser and really didn't need people mistaking the messenger for the message. Far better to let people worry about the security of other browsers.

  • by darthcamaro (735685) on Friday March 25, 2011 @05:15PM (#35616828)
    Mozilla was the first browser vendor to patch. SURE they could have told us exactly what they were patching, but they erred on the side of caution. The fact that they want to be OPEN about everything is just a bonus and it's what differentiates Mozilla from every other browser vendor.
    • by trifish (826353) on Saturday March 26, 2011 @03:01AM (#35620404)

      You didn't get what they did wrong. The knew about the issue 10 days before they disclosed it (and they were in fact forced to disclose it by a blogger). During that period, the affected unsuspecting people in Iran may have been exploited, snooped, arrested and/or executed. That's what they apologized for just now. But apologies won't help those victims (if there are any) a bit.

      • by jd (1658)

        This has been debated endless times, as to when it is best to reveal that a vulnerability exists, with one camp arguing that it's best to delay announcements until there is no risk that the announcement will increase the degree of exploitation, and the other arguing that unannounced exploits are ALWAYS a danger, that you should not assume that those who are potential threats are ignorant simply because the users are.

        As you can probably gather, I tend to be in the latter group. It doesn't take a child long t

  • Most of this has been the work of Jacob Appelbaum, core member of the Tor project. He is the one who investigated the fraudulent certificates and it's a fascinating detective story [torproject.org].

Those who can, do; those who can't, simulate.

Working...