LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Security page

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Mozilla's followup on the Comodo certificate issue

[Posted March 25, 2011 by corbet]

Mozilla has sent out a followup laying out what it knows about the Comodo certificate compromise and evaluating its own response. "Mozilla did not publish the information we received prior to shipping a patch. In early discussions, we were concerned that any indication that we knew about the attack would lead to attackers blocking our security updates as well. We also recognized that the obvious mitigation advice we might offer (to change Firefox's security preferences to require a valid OCSP response in all cases, or to remove trust from Comodo's certificates, or both) risked causing a significant portion of the legitimate web to break as well... In hindsight, while it was made in good faith, this was the wrong decision. We should have informed web users more quickly about the threat and the potential mitigations as well as their side-effects."
(Log in to post comments)

Mozilla's followup on the Comodo certificate issue

Posted Mar 26, 2011 0:21 UTC (Sat) by vonbrand (subscriber, #4458) [Link]

The incident report id weird... How come compromising an user account leads to creating another and then issuing certificates?

More attacks

Posted Mar 31, 2011 21:19 UTC (Thu) by job (guest, #670) [Link]

In related news, when Comodo investigated this further they found out that two more partners were owned. Oops.

Copyright © 2011, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds