Mozilla Foundation Security Advisory 2011-34

Protection against fraudulent DigiNotar certificates

Announced

August 30, 2011

Impact

High

Products

Firefox, Firefox Mobile, SeaMonkey, Thunderbird

Fixed in

Firefox 3.6.21
Firefox 6.0.1
Firefox Mobile 6.0.1
SeaMonkey 2.3.2
Thunderbird 3.1.13
Thunderbird 6.0.1

Description: Google Chrome user alibo encountered an active "man in the middle" (MITM) attack on secure SSL connections to Google servers. The fraudulent certificate was mis-issued by DigiNotar, a Dutch Certificate Authority. DigiNotar has reported evidence that other fraudulent certificates were issued and in active use but the full extent of the compromise is not known.

For the protection of our users Mozilla has removed the DigiNotar root certificate. Sites using certificates issued by DigiNotar will need to seek another certificate vendor.

Mozilla thanks Google, Inc. for reporting this issue to us. We also thank Marien Zwart (Mozilla Localization), Ot van Daalen (Bits of Freedom), and Erik de Jong (GovCERT) for their help.

References:

Fraudulent *.google.com Certificate [Mozilla Security Blog]
An update on attempted man-in-the-middle attacks [Google Online Security Blog]
https://bugzilla.mozilla.org/show_bug.cgi?id=682927

Firefox for Desktop

Firefox for Android

Firefox for iOS

Firefox Focus

Firefox Blog

Release Notes

Mozilla Monitor

Facebook Container

Pocket

Mozilla VPN

Firefox Relay

MDN Plus

Fakespot

Mozilla Manifesto

Mozilla Foundation

Leadership

Get involved

Careers

Mozilla Blog

Impact

Firefox Developer Edition

MDN Web Docs

Mozilla Innovation Projects

Common Voice

Mozilla Foundation Security Advisory 2011-34

Protection against fraudulent DigiNotar certificates