Mozilla has sent out a
laying out what it knows about the Comodo certificate
compromise and evaluating its own response. "Mozilla did not publish
the information we received prior to shipping a patch. In early
discussions, we were concerned that any indication that we knew about the
attack would lead to attackers blocking our security updates as well. We
also recognized that the obvious mitigation advice we might offer (to
change Firefox's security preferences to require a valid OCSP response in
all cases, or to remove trust from Comodo's certificates, or both) risked
causing a significant portion of the legitimate web to break as well...
In hindsight, while it was made in good faith, this was the wrong
decision. We should have informed web users more quickly about the threat
and the potential mitigations as well as their side-effects.
to post comments)