SSL Certificate Authorities (CA), hold an important role for ensuring the trust model of modern Internet security. This year, at least twice already that trust may have been misplaced. Both the Comodo and, more recently, the DigiNotar CAs have been compromised, leaving millions of users at risk.
Browser vendor Mozilla is now saying that enough is enough and is giving the CAs a one week deadline to prove they are secure.
“Each audit must check for mis-issuance of certificates, especially high-value domains as well as the network infrastructure, monitoring, passwords, etc.,” Kathleen Wilson, module owner of Mozilla’s CA Certificates Module explained to InternetNews.com.
Mozilla also has told the CAs they must implement multi-factor authentication or provide a date by which they expect to have this implemented. Having multi-factor authentication for accounts provides a secondary layer of defence against attacks. In the recent exploit of DigiNotar, a security audit found that the CA did not have strong passwords protecting their accounts. With multi-factor authentication the risk of a single weak password is minimized.
While the Mozilla demand is being driven by the recent DigiNotar exploit, Wilson noted that Mozilla has made requests to CAs in the past as well.
“We typically conduct a review of the CAs in our program every four to six months,” Wilson explained. “Whenever a CA wants to modify trust bits of an existing root, or add a new root, they have to go through our complete review process.”
The Mozilla review process for CAs is publicly available at https://wiki.mozilla.org/CA. The initial Mozilla CA process can take as long as two years for new organizations that are requesting to be added to the browser for the first time.
“Historically, the CAs in our program have been responsive to our requests, and we anticipate the same here,” Wilson said. “If a CA did stop responding to our requests, we’d decide what actions to take on a case by case basis, but these could include disabling or removing the root.”
For the current request, Mozilla is giving the CA until September 16th to respond. Wilson noted that Mozilla sent emails to each point of contact for each root certificate as well as a broader CA email list.
“We believe that a week is a reasonable amount of time for CAs to be able to send their initial response and target dates to us,” Wilson said.