• 

You never know where internet vermin will pop up next. This time around hackers “obtained” fraudulent digital certificates, perhaps more than 200, used by all browsers to authenticate connections and Mozilla has taken a (very) small step to rectify the problem.

Firefox 6.0.1 and Thunderbird 6.0.1 (release notes) are now available and they do one thing, and one thing only.

— Revoked the root certificate for DigiNotar due to fraudulent SSL certificate issuance (see bug 682927 and the security advisory)

That’s all well in fine except that Wired now reports that the so-called DigiNotar breach isn’t about one SSL certificate or one issuing authority.

Hackers who obtained a fraudulent digital certificate for Google may have actually obtained more than 200 digital certificates for other top internet entities such as Mozilla, Yahoo and even the privacy and anonymizing service Tor.

In fact, Google Chrome is now blocking more 200 bogus certificates and Apple, as is their wont, hasn’t said a word about a possible patch or work around for Safari.

Ouch. So, if you’re a Firefox 6 and/or Thunderbird 6 user, by all means these updates, respectively. However, Mozilla hasn’t issued patches for Firefox and Thunderbird versions 4, 5 or 7 (yet).

We haven’t heard the last of this issue…

What’s your take?

•