Mozilla orders certificate authorities to check their security

Posted by Emma Woollacott

After the recent breach at web security certificate authority DigiNotar, and with fears that others have been compromised too, Mozilla has ordered certificate issuers to get their own house in order.

It's giving them until 16 September to audit their own internal security systems and assure Mozilla that they haven't been compromised.

"Participation in Mozilla's root program is at our sole discretion, and
we will take whatever steps are necessary to keep our users safe," it warns.

Following last week's breach at DigiNotar, hacker Comodo boasted that he'd penetrated the networks of GlobalSign and three other certificate authorities.

Mozilla is calling on certificate issuers to review their systems for signs that there may have been an intrusion, and to audit their public key infrastructure (PKI).

They'll also need to put in place automatic blocks for high-profile domains, such as those targeted in the DigiNotar and Comodo attacks.

The whole affair should be a wake-up call for the many companies that have been too willing to put their trust in PKI, says
Tsion Gonen, vice president at SafeNet.

"Public key infrastructure is the most insecure 'security' technology ever created," he says.

"If the certificate is compromised, the entire PKI environment is compromised. Utilizing PKI without the proper underlying security processes can actually make an organization less secure. It is akin to having a safe where you keep all of your valuables, but failing to install a lock."