

Mozilla admits to mishandling Comodo disclosure - trotsky
http://blog.mozilla.com/security/2011/03/25/comodo-certificate-issue-follow-up/

======
metachris
That's a bad title. Better would be the original one "Comodo Certificate Issue
– Follow Up". While this post (responsibly) discusses how Mozilla could have
handled the situation better, it's a much broader, interesting follow-up which
hopefully helps the discussion about security on the internet. Faked, trusted
certificates are one heck of a problem, in particular if they are signed with
a root certificate as happend in this incident.

~~~
trotsky
_In hindsight, while it was made in good faith, this was the wrong decision.
We should have informed web users more quickly about the threat and the
potential mitigations as well as their side-effects._

If you've been following the story closely, that's the most significant
portion of the blog post. There has been substantial criticism of the browser
vendors acting to protect CAs instead of users, and this is an admission by
Mozilla that they agree, at least to some extent.

If you read through the entry given a title of "Comodo Certificate Issue –
Follow Up" it would be pretty easy to miss, as it is rather buried. Much of
the rest of it is a rehash of previously available information.

~~~
bad_user
I don't think Mozilla tried to protect the CA.

I think Mozilla tried to protect their own browser, by tacitly releasing
updates for blacklisting those certificates, with the rationale being that
this way Mozilla updates wouldn't also get blocked.

As the article says, those certificates have value in a tightly controlled
network, because otherwise the browser would get a revocation status for that
certificate using the OCSP protocol. In such a network it would also be
feasible to also block Mozilla updates, and making the issue public wouldn't
have helped (from this perspective).

Not saying that what they did was OK, but the issue is not so cut and dry.

~~~
trotsky
According to the Mozilla ticket on the issue, Mozilla did not disclose because
Comodo asked them not to. While the stated motivation of a coordinated
disclosure sounds decent enough, it's hard to believe it was really in either
Mozilla's or their user's best interests. Microsoft was the last to patch, and
I think if you're dealing with an attacker that would shut off microsoft.com
(even selectively) or WU you're probably well beyond an RA compromise.

<https://bugzilla.mozilla.org/show_bug.cgi?id=643056#c20>

It seems to me that there is a bit of a question (at least in a few people's
minds) if there was going to be any kind of disclosure if Jacob didn't come
along.

