Already having revoked trust in the root certificates issued by DigiNotar, Mozilla is taking steps to avoid having to repeat that process with any other certificate authority trusted by Firefox, asking all of the CAs involved in the root program to conduct audits of their PKIs and verify that two-factor authentication and other safeguards are in place to protect against the issuance of rogue certificates.
Mozilla officials have notified all of the CAs involved in the organization’s trusted root program for Firefox that they need to perform the audits and other required actions within the next eight days and send the results to Mozilla. The message, also posted to the Mozilla developer security policy group on Google, sends a clear message that Mozilla officials have little interest in seeing a rerun of the DigiNotar episode with another certificate authority.
“Mozilla recently removed the DigiNotar root certificate in response to their failure to promptly detect, contain, and notify Mozilla of a security breach regarding their root and subordinate certificates,” Kathleen Wilson, owner of the Mozilla CA certificates module, said in the message. “Participation in Mozilla’s root program is at our sole discretion, and we will take whatever steps are necessary to keep our users safe. Nevertheless, we believe that the best approach to safeguard that security is to work with CAs as partners, to foster open and frank communication, and to be diligent in looking for ways to improve.”
In addition to requiring that all trusted CAs perform an audit of their PKIs and look for signs of a compromise, Mozilla also is asking the CAs to confirm that they have two-factor authentication in place on all systems from which certificates can be issued; compile a complete list of CA certificates from other roots in our program that your roots (including third party CAs and RAs) have cross-signed; ensure that they automatic blocks in place for issuing certificates for high-value domains such as Google and Yahoo, which were targeted by the DigiNotar attacker; and for each of the third-party CAs or RAs, make sure that there are technical controls in place to limit their ability to issue certificates to only companies that they have confirmed that they do business with, or send a complete list of all third parties along with links to each of their corresponding Certificate Policy and/or Certification Practice Statement and provide public attestation of their conformance to the stated verification requirements and other operational criteria by a competent independent party or parties with access to details of the subordinate CA’s internal operation.
The request by Mozilla comes just a few days after the organization moved to revoke trust in all of DigiNotar’s certificates in the wake of the compromise of the company’s CA system by an attacker who was able to issue more than 500 rogue SSL certificates to himself. Some of the certificates were issued for high-profile domains such as *.google.com, cia.gov, addons.mozilla.org and others. That revocation rendered all of the certificates issued by DigiNotar to any site invalid for Firefox users.
The way that Mozilla made the changes in Firefox 6.0.2 is a little obscure. DigiNotar root certificates still are present in the browser’s list of certificates, but when a user clicks on one of them and then clicks on Edit Trust, all of the options are un-checked by default. That means that none of the certificates by default is trusted by Firefox for mail, sites or software, but users can still edit that setting and check whichever boxes they choose.
Now, Mozilla officials are hoping to head off another such incident before it occurs by requiring all of the CAs trusted by Firefox to inspect their own systems and ensure that they have the proper security controls in place to help prevent a similar compromise. GlobalSign, one of the larger CAs in the industry, is in the middle of an investigation of its own, sparked by a message from the DigiNotar attacker saying that he also had penetrated GlobalSign’s network, as well as the infrastructures of three other unnamed CAs.