A breach at DigiNotar resulted in several rogue signed certificates in the wild

Sep 1, 2011 11:50 GMT  ·  By

Mozilla has updated its two supported Thunderbird versions to remove the root certificate of DigiNotar from the list of authorized Certificate Authorities (CA). The CA had been the victim of a successful attack and several rogue certificates had been issued, signed by it.

Both Mozilla and Google issued updates for their browsers, removing the root certificate for the vendor.

Now, Mozilla has also provided updates for Thunderbird 6, the latest stable version of the popular email suite, but also for the older Thunderbird 3.1, which is still being supported with security patches.

"Thunderbird 6.0.1 and Thunderbird 3.1.13 are now available as free downloads for Windows, Mac, and Linux," Mozilla announced.

"As always, we recommend that users keep up to date with the latest stability and support versions of Thunderbird, and encourage all our users to upgrade to the very latest version," the group advised.

"Thunderbird 6.0.1 and Thunderbird 3.1.13 revoke the root certificate for DigiNotar due to fraudulent SSL certificate issuance," Mozilla explained.

A breach at DigiNotar led to a number of rogue certificates being issued, including one for Google. It appears that the attack is linked to Iran.

The false certificates had been in the wild for at least several weeks until they were discovered. During this time, any encrypted visit to a Google site, or any of the other sites affected, could have been intercepted by third-parties, a man-in-the-middle attack.

It is believed that the attack targeted Iran users in particular, but it's impossible to know how widespread the issue is. The breach raises big questions about the security of the public key infrastructure, at least in its current form.

Mozilla has already issued updates for Firefox 6, Firefox 3.6, Firefox 8 Aurora, Firefox 9 Nightly and SeaMonkey 3.2. Updates for Firefox for Mobile and Firefox 7 Beta are in the works. Google Chrome has also been updated.

Mozilla Thunderbird for Windows is available for download here. Mozilla Thunderbird for Mac is available for download here. Mozilla Thunderbird for Linux is available for download here.