The security breach at the Dutch Certificate Authority [CA] DigiNotar continues to have follow-on effects. The ThreatPost blog, from the security firm Kaspersky Labs, reports that the Mozilla organization, builder of the Firefox browser, has requested all the CAs providing root certificates recognized by Firefox to complete an immediate review of their security regimes.
Mozilla officials have notified all of the CAs involved in the organization’s trusted root program for Firefox that they need to perform the audits and other required actions within the next eight days and send the results to Mozilla.
A copy of the message to CAs was posted on the group
mozilla.dev.security.policy. The note requests a number of specific actions, including:
- Audit of CA systems for intrusion or compromise
- Confirmation that multiple-factor authentication is required to issue certificates
- Confirmation that provisions are in place to flag certificate requests for high-profile domains (such as Google)
- Implementation of controls to check that certificates are only issued for authorized domains (in line with the draft Internet standard RFC 5280, “Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile”)
Mozilla has requested these actions apply not only to the root CAs, but also to any other second-tier entities to which certificate authority has been delegated.
Mozilla, along with Google and Microsoft, released updated versions of its browser software to “blacklist” DigiNotar certificates in response to the security breach there. If nothing else, this was certainly a colossal nuisance for the browser vendors, one they would prefer not to experience regularly. These short-notice updates are inconvenient and potentially confusing to end users, too.
Now, Mozilla officials are hoping to head off another such incident before it occurs by requiring all of the CAs trusted by Firefox to inspect their own systems and ensure that they have the proper security controls in place to help prevent a similar compromise.
In theory, the CAs are supposed to take reasonable steps to verify the identity and authority of those who request the issuance of server certificates. A concern has always been that the CAs may have an economic incentive to be less than totally diligent about this vetting process; after all, they get paid for issuing certificates, not for rejecting certificate requests.
It seems to me that the major browser vendors have at least some leverage over the CAs. If no one’s browser trusts certificates from the Nocturnal Aviation CA, they are not likely to be attractive to potential customers. I hope that other browser vendors will make a similar effort.