Detecting Certificate Authority compromises and web browser collusion | The Tor Blog : ‘If I had to make a bet, I’d wager that an attacker was able to issue high value [SSL] certificates, probably by compromising [the USERTRUST SSL certificate authority] in some manner, this was discovered sometime before the revocation date, each certificate was revoked, the vendors notified, the patches were written, and binary builds kicked off – end users are probably still updating and thus many people are vulnerable to the failure that is the CRL and OCSP method for revocation.’ It seems addons.mozilla.org was one of the bogus certs acquired. Major ouch. Thanks to EFF/Tor et al for investigating this — SSL cert revocation is a shambles
(tags: security ssl tls certificates ca revocation crypto exploits eff tor comodo usertrust)