Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mozilla Says It Erred On SSL Attack Disclosure

Posted by Soulskill on from the comodo-draggin-their-feet dept.

Trailrunner7 writes "Just days after news emerged of the attack on a registration authority in Europe tied to Comodo that caused the revocation of a number of fraudulent certificates from the major browsers, Mozilla officials have admitted they made a mistake by not disclosing the details of the incident to its users earlier. 'In hindsight, while it was made in good faith, this was the wrong decision. We should have informed web users more quickly about the threat and the potential mitigations as well as their side-effects.'"

5 of 62 comments (clear)

  1. Re:No harm, no foul by Anonymous Coward · · Score: 3, Insightful

    Yeah except if the situation had been reversed and Microsoft had done what Mozilla did. Then there would be pitchforks about how Microsoft was being evil. But, no, this time it was Mozilla and they can just do no wrong.

  2. Re:What can users do about it by heypete · · Score: 4, Informative

    You can also not bother using CRLs, and just use OCSP, which is turned on by default (EV certificates require it or else the browser won't display the "green bar").

    As it does live checks on only the certificates presented right then, rather than downloading the whole CRL at intervals, OCSP uses less network resources for both you and the CA, updates faster (CRLs update every few days), and is generally superior in all ways. Like CRLs, OCSP responses are signed by the CA that issued them, and so cannot be tampered with.

    You can even have your browser set to not trust the certificate presented if the OCSP query fails, which is a good fail-safe. I wish there was a "warn if OCSP check fails" option, rather than "fail silently and allow connection to proceed if OCSP fails" and "fail noisily and not work if OCSP fails". The former leaves people vulnerable, while the latter presents DoS attack targets.

    Pushing out OS and browser updates to manually revoke those certificates is not a bad idea, particularly for those who have OCSP disabled for whatever reason, but there's not really any reason to manually install CRLs when OCSP exists.

  3. Good on them by BlueParrot · · Score: 4, Insightful

    Admitting it was a mistake rather than coming up with some bogus excuse gives them points in my book. Whether the decision was by marketing or just company policy it at least suggests they have one or two competent people over there.

  4. I think they did the right thing - BOTH times by darthcamaro · · Score: 3, Insightful

    Mozilla was the first browser vendor to patch. SURE they could have told us exactly what they were patching, but they erred on the side of caution. The fact that they want to be OPEN about everything is just a bonus and it's what differentiates Mozilla from every other browser vendor.

    1. Re:I think they did the right thing - BOTH times by trifish · · Score: 3, Informative

      You didn't get what they did wrong. The knew about the issue 10 days before they disclosed it (and they were in fact forced to disclose it by a blogger). During that period, the affected unsuspecting people in Iran may have been exploited, snooped, arrested and/or executed. That's what they apologized for just now. But apologies won't help those victims (if there are any) a bit.