Mozilla Gets Tough on Digital Certificates
In a preemptive step to protect users from possible attacks based on fake digital certificates, Mozilla has given certificate issuers a week to present proof of security measures they have taken or have their certificates rejected by Firefox browsers.
Digital certificates are a critical part of the web’s security infrastructure. They are how sites prove that they are what they claim to be and they are also used to encrypt transactions between browsers and servers. But the integrity of the system was called into question by an attack on DigiNotar, a Dutch certification authority (CA), that allowed the attackers to issue false certificates in the name of a large number of well-known sites, including Google.com and there have been less serious breaches at other CAs.
In a letter to all CAs whose certificates are accepted by Firefox, Kathleen Wilson, who is responsible for managing certificates in firefox, gave CAs until Sept. 16 to complete a checklist of security measures, including a full audit of their public key infrastructure, a key security component.
The is a necessary step, and should be joined in by Microsoft, Google, Apple, Opera, and anyone else responsible for software that maintains a list of trusted CAs. But there is still an element of locking the stable after a fair number of horses have escaped. What is really needed is much toucher standards for CAs on an ongoing basis, and probably a sharp reduction in the number of organizations that can issue trusted certificates.