Firefox 6.0.2 fixes yet more DigiNotar certificate fallout

 

Firefox 6.0.2 has just come out, correcting an entirely forgivable glitch caused by Firefox 6.0.1, which was necessitated by the mess caused by disgraced Dutch web security company DigiNotar.


(DigiNotar is the former Certificate Authority - or so-called "authority" - which managed to issue more than 500 bogus digital certificates in the name of major web properties such as Facebook, Twitter, Microsoft and Google; in the name of intelligence agencies such as the Mossad and the CIA; and even, it seems, in the name of other certifying authorities.)

Firefox 6.0.1 fixed Mozilla Foundation Security Advisory 2011-34, which simply pulled everything to do with DigiNotar from its list of trusted certificates. Loosely speaking, any certificate signed by DigitNotar, or any certificate signed by someone with a certificate signed by DigiNotar, and so ad infinitum, was blown out of the water.

Any website with a certificate bought through DigiNotar therefore become untrusted at once. As Mozilla quite bluntly explained in the 6.0.1 update, "sites using certificates issued by DigiNotar will need to seek another certificate vendor." And that's how it should be. A Certificate Authority isn't supposed to make mistakes of this sort - not at all, let alone to this extent.

Unfortunately, Firefox 6.0.1 blocked some untainted certificates signed by the Dutch State itself.
It seems that the Dutch public service had not one, but two, Certificate Authorities of its own which were tainted by association with DigiNotar, but which had never issued certificates signed anywhere in their trust chain by DigiNotar,

One of these tainted-but-still-trustworthy authorities was exempted from inclusion in Firefox's certificate ban of 6.0.1; the other was not.

Firefox 6.0.2 fixes Mozilla Foundation Security Advisory 2011-35, by exempting the Dutch government's second root Certificate Authority - imaginatively named STAAT DER NEDERLANDEN ROOT CA - G2 - thus reducing the browser's impact on the web services provided by the Dutch authorities.
The Dutch government should be delighted at this outcome.

After all, Mozilla's initial step - vigorously disowning everything tainted by DigiNotar - was aggressive but, in my opinion, necessary. Getting into a certification relationship with company X is like buying shares in company X. If the price goes down, all shareholders lose out simultaneously. If the company goes down, you go down with it.

Let's see whether this fiasco causes the Dutch authorities to reconsider modern public service buzzwords such as "cloud" and "outsourcing"!

nb : nakedsecurity.sophos