Mozilla will ask all certificate authorities to revoke SSL-spying certificates

Mozilla's planned grace period for man-in-the-middle sub-CA certificate revocations could pose issues

Mozilla plans to ask all certificate authorities to review their subordinate CA certificates and revoke those that could be used by companies to inspect SSL-encrypted traffic for domain names they don't control.

The plan, whose details are still being worked out, is Mozilla's response to Trustwave's recent claim that the use of such certificates for SSL (Secure Sockets Layer) traffic management within corporate networks is a common practice.

After a week of debating whether to punish Trustwave for violating its CA Certificate Policy, Mozilla has decided to send out a communication to all certificate authorities requesting them to come clean about similar certificates and to revoke them.

"My intent is to make it clear that this type of behavior will not be tolerated for subCAs chaining to roots in NSS [Mozilla's Network Security Services], give all CAs fair warning and a grace period, and state the consequences if such behavior is found after that grace period," said Kathleen Wilson, the owner of Mozilla's CA Certificates Module, in an entry on Bugzilla.

The grace period extended to CAs for the revocation of sub-CA certificates currently used for the inspection of SSL-encrypted traffic on corporate networks has not been decided yet, but according to Wilson, a time frame of two or three months is being considered.

After that, anyone caught with such a certificate would have their root key removed from Mozilla's products and all certificates they ever signed would result in an error when opened in the browser.

A grace period is necessary because the companies that deployed traffic-monitoring products with sub-CA certificates on their networks are probably very large enterprises that would need time to implement alternative solutions, Wilson said on the mailing list.

However, according to Amichai Shulman, chief technology officer at security firm Imperva, three months will probably not be enough to accommodate such changes. Six months would be more reasonable, he said.

Many companies that inspect SSL-encrypted traffic on their networks in order to prevent data leaks or detect internal policy violations, generate their own root certificate and deploy it on all of their end-point devices. The time required to do this varies depending on the number of devices and their type.

Shulman was surprised to hear Trustwave's claim that this is a common practice in the industry, because in his opinion the use of sub-CA certificates for the purpose of monitoring enterprise communications is irresponsible, given the worldwide implications of such a certificate being stolen.

Mozilla is right in demanding this practice to stop, he said. However, he doubts that the company can enforce a change without help from other browser vendors.

That's because removing a CA certificate from its products for a policy violation will result in users not being able to access websites secured with certificates issued by that particular CA. Unless users will receive similar certificate errors in other browsers, they'll think it's a problem will Firefox and switch to something else, Shulman said.

Other people participating in the discussion on the mailing list don't agree that CAs should be offered a grace period. One argument is that companies engaged in man-in-the-middle SSL traffic inspection could simply stop doing it until they roll out an alternative solution.

Others feel that Mozilla shouldn't send a communication to CAs for the sole purpose of requesting disclosure of something that clearly violates their policy.

"Look, Mozilla has a policy, there is no reason to require something that doesn't comply to the policy anyway," said Eddy Nigg, CTO of StartCom and StartSSL in an email to the mailing list. "The policy hasn't changed and I'd advise Mozilla to apply its own policy, simply as that."

Join the Good Gear Guide newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Armand Abogado

HP OfficeJet 250 Mobile Printer

Wireless printing from my iPhone was also a handy feature, the whole experience was quick and seamless with no setup requirements - accessed through the default iOS printing menu options.

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?