14 DAY TRIAL // Mozilla has published more information about the recent incident where hackers obtained rogue SSL certificates for high-profile domains via Comodo and admitted that keeping the whole thing under wraps for a week was not a good decision.
The compromise occurred sometime around March 15 and involved hackers obtaining the login credentials of a Comodo reseller and using them to request digital certificates for login.live.com, mail.google.com, www.google.com, login.yahoo.com, login.skype.com and addons.mozilla.org.
Comodo claims the attack came from Iran and one of the rogue certs was tested on a server in the Islamic republic known for engaging in online surveillance.
With control of Internet gateways, the certificates could have been used to impersonate those websites and steal the login credentials of political activists.
The world didn't learn about the incident until March 22, when Mozilla issued a Firefox update to block the certificates and vaguely explained what happened.
Judging from a now-public entry on Mozilla's bug tracker, Jacob Appelbaum, an American security researcher and software engineer with the TOR Project, figured out what happened on his own and contacted the vendor privately.
He was told about the issue and was asked to keep quiet because Comodo requested it in order to give all vendors a chance to issue patches.
Appelbaum reluctantly accepted, but pointed out to Mozilla that "disclosure does not allow anyone else to perform this attack - only the attacker with the certificate is able to take advantage of this situation" and that "only the attacker will benefit from a delay."
Going public immediately would have allowed those potentially targeted, like Iranian activists who face torture and tens of years in prison, to employ other types of mitigation in the absence of a patch ot to temporarily stop using their accounts.
Mozilla admitted that keeping silent was not the best decision. "In hindsight, while it was made in good faith, this was the wrong decision. We should have informed web users more quickly about the threat and the potential mitigations as well as their side-effects," the browser vendor wrote in its new and more detailed blog post.
Update March 28, 2011: Changed Iran's description as an "Arab country" with "Islamic republic" in the article for reasons of accuracy.