This probably isn’t of much interest to most of you who read this blog, but Mozilla just struck a major blow for online security and — as importantly — accountability. Quick-and-very-dirty layman’s explanation:
Much of the invisible infrastructure of the Internet depends on “identity certificates” to establish secure connections between a website and your browser. A certificate uses some very clever cryptography to prove that the website is actually the site it claims to be, and your browser alerts you if there are any problems. Once you know that you are connecting to the right website, you can use the certificate to establish an encrypted connection to that website. Every time you do an online credit card transaction with a legitimate vendor, you are depending on an encrypted connection backed by a certificate to keep your credit card data safe as it travels across the public internet.
This “web of trust” depends on the people who create certificates — a small number of so-called “Certificate Authorities”. Because of their key role in keeping Internet commerce buzzing, CA’s are subject to strict standards, ever-improving cryptographic requirements, and regular audits. Mozilla recently uncovered a giant web of lies at one such CA, WoSign, which were overlooked by its auditor, the highly reputable Ernst & Young.
Now, truthfully, I don’t know a whole lot about certificate security; my job doesn’t require I know more than the basics. But I do know quite a bit about politics. The political incentives to sweep this kind of thing under the rug are large. As we saw in the global financial crisis, it’s very easy for regulators to get into bed with the industries they’re supposed to be regulating, helping bad actors get away with things in order to preserve the “overall stability of the system” or something. It’s even harder to take action when a major name like Wells Fargo or Bear Stearns or Ernst & Young is going to take a serious hit.
But Mozilla did its job and, after some weeks of deliberation, brought down the hammer. All new certificates from this CA, and all certificates that depend on certificates from this CA, are now “distrusted” by Firefox (read: effectively invalidated). All CA audits by Ernst & Young’s Hong Kong office (which was responsible for the WoSign audit) are also going to be considered invalid in upcoming versions of Firefox. One wonders where the global economy would be today had financial regulators had taken such firm and decisive action against bad behavior in their industry.
Kudos to the Mozilla security team. I still have my differences with Mozilla, but Mozilla lived up to its highest ideals today, and helped make the Web better, and safer, for all of us.
Now, if you’ll excuse me, I have to go check if any of the websites I’m involved with have any dependencies on recent WoSign certificates.
Did you notice it was me who conducted the WoSign investigation? 🙂
Maybe a little, but I didn’t want to confess to the world the level of gerv fangirling that I was doing while I was writing the post. 🙂
Go read the document, folks! It’s good stuff! (And way more detailed — not to mention horrifying — than the little bit I explained here.)
It’s a good read, actually, if I say so myself. I wrote it to be layman-accessible:
https://docs.google.com/document/d/1C6BlmbeQfn4a9zydVi2UvjBGv6szuSB4sMYUcVrR8vQ/edit
One respected security commentator on Twitter called it a “page-turner”…