Mozilla demands security checks from CAs

The browser maker has demanded that certificate authorities comply to a list of security tests -- or else

Browser maker Mozilla has showed how much it trusts certificate authorities to handle their own security: Not much.

On Thursday the Mozilla Foundation, responsible for the development of the Firefox browser, requested that certificate authorities complete a list of security checks in the next eight days. CAs that fail to comply with the request could find their root certificate and any certificates issued by the firm deemed untrustworthy by Mozilla.

"Participation in Mozilla's root program is at our sole discretion, and we will take whatever steps are necessary to keep our users safe," Kathleen Wilson, the program manager is charge of Mozilla's CA Certificates Module, said in an email to certificate authorities.

Mozilla is demanding that certificate authorities audit their infrastructure to confirm that it's secure; highlight any dependencies on other CAs; have high hurdles to changes submitted for high-profile domains; require two-factor authentication; and demand that suppliers all take these steps as well.

"We believe that the best approach to safeguard that security is to work with CAs as partners, to foster open and frank communication, and to be diligent in looking for ways to improve," Mozilla's Wilson wrote.

The demands for security validation come after Dutch certificate authority DigiNotar discovered its public-key infrastructure (PKI) had been completely breached by unknown attackers. The company not only failed to detect the breach, it failed to notify browser makers and the public in a timely manner. Mozilla, Microsoft, and Google have all updated their software to prevent the browsers from trusting some, if not all, DigiNotar certificates.

Microsoft, for example, issued an update on Aug. 29 to eliminate two branches of certificates issued by DigiNotar, but announced this week that a future update will mark all DigiNotar-issued certificates as untrusted.

"We are in the process of moving all DigiNotar owned or managed Certificate Authorities to the Untrusted Certificate Store, which will deny access to any websites using DigiNotar certificates," the company said in a blog post. "Microsoft is preparing to release an update to implement these protections."

If duplicated by other browser makers, Mozilla's demands that CAs attest to their own security measures could force CAs to comply with a de facto set of regulations. As it stands, security experts have questioned whether Internet users should trust a system that relies on more than 600 certificate authorities maintaining strong security measures.

"Even though it's an unusually straightforward choice with DigiNotar, the process [of revoking trust in a CA] is still a mess," says Moxie Marlinspike, a security researcher and chief technology officer of Whisper Systems, a startup focused on mobile security solutions.

Revoking the trust of larger certificate authorities will be difficult, Marlinspike says. "We really can't."

This article, "Mozilla demands security checks from CAs," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest business technology news, follow on Twitter.

Copyright © 2011 IDG Communications, Inc.