Firefox 3 Updates and SSL Blocklist extension

Published: 2011-03-23
Last Updated: 2011-03-23 13:01:43 UTC
by Johannes Ullrich (Version: 1)
2 comment(s)

At the heals of yesterday's Firefox 4 release, we today got 3.6.16 and 3.5.18. As usual, Mozilla will provide security updates for some older browsers after the release of a new major version. If you are not planning to update to Firefox 4 soon, you should update to the newest 3.x version.

This wouldn't be worth a full diary (usually we just publish a "one liner") if it wouldn't be for one interesting change: Mozilla decided to add some new blocklisted SSL certificates.

SSL certificates are usually considered valid if signed by a trusted certificate authority. My version of Firefox 4 on a Mac includes certificates from about 80 trusted organizations. If a certificate authority finds out tht a certificate was signed by mistake, they may add the bad certificate to a revocation list. Each certificate includes a URL for a revocation list, and the browser may check if the certificate is listed as revoked.

However, browsers are not required to check revocation lists. In addition, if a certificate authority is compromised, it may lead to compromised revocation lists as well. The black list feature in Firefox (same feature exists in Chrome) lists a small number of certificates that the browser will not trust.

The recent addition is rumored to be due to a compromised certificate authority, which has been used to issue fraudulent certificates. [1] In particular it is suggested that a certificate for "", the site used for Firefox plugins, was created using the compromised CA.



Also see:

Johannes B. Ullrich, Ph.D.
SANS Technology Institute

Keywords: Firefox ssl
2 comment(s)
Diary Archives