Mozilla Gets Tough on Digital Certificates

Steve Wildstrom / September 9th, 2011

Firefox logoIn a preemptive step to protect users from possible attacks based on fake digital certificates, Mozilla has given certificate issuers a week to present proof of security measures they have taken or have their certificates rejected by Firefox browsers.

Digital certificates are a critical part of the web’s security infrastructure. They are how sites prove that they are what they claim to be and they are also used to encrypt transactions between browsers and servers. But the integrity of the system was called into question by an attack on DigiNotar, a Dutch certification authority (CA), that allowed the attackers to issue false certificates in the name of a large number of well-known sites, including Google.com and there have been less serious breaches at other CAs.

In a letter to all CAs whose certificates are accepted by Firefox, Kathleen Wilson, who is responsible for managing certificates in firefox, gave CAs until Sept. 16 to complete a checklist of security measures, including a full audit of their public key infrastructure, a key security component.

The is a necessary step, and should be joined in by Microsoft, Google, Apple, Opera, and anyone else responsible for software that maintains a list of trusted CAs. But there is still an element of locking the stable after a fair number of horses have escaped. What is really needed is much toucher standards for CAs on an ongoing basis, and probably a sharp reduction in the number of organizations that can issue trusted certificates.

Steve Wildstrom

Steve Wildstrom is veteran technology reporter, writer, and analyst based in the Washington, D.C. area. He created and wrote BusinessWeek’s Technology & You column for 15 years. Since leaving BusinessWeek in the fall of 2009, he has written his own blog, Wildstrom on Tech and has contributed to corporate blogs, including those of Cisco and AMD and also consults for major technology companies.
Protected by Gerben Law