Mozilla's Firefox Add-ons site affected by DigiNotar certificate scam

It has emerged that the Mozilla Firefox add-ons web page was affected in the same scam that saw Dutch SSL certificate authority DigiNotar issue fraudulent certificates for various sites including Google.com.

Director of Firefox engineering Johnathan Nightingale responded to V3 in a statement: "DigiNotar informed us that they issued fraudulent certs for addons.mozilla.org in July, and revoked them within a few days of issue.

"In the absence of a full account of mis-issued certificates from DigiNotar, the Mozilla team moved quickly to remove DigiNotar from our root program and protect our users."

DigiNotar parent company Vasco admitted in a release on Tuesday that several certificates were erroneously issued after an "intrusion into its certificate authority infrastructure" on 19 July.

"At that time, an external security audit concluded that all fraudulently issued certificates were revoked," the company added at the time.

"Recently, it was discovered that at least one fraudulent certificate had not been revoked at the time. After being notified by Dutch government organisation Govcert, DigiNotar took immediate action and revoked the [Google.com] fraudulent certificate."

Mozilla did not say whether the hackers managed to use the fraudulent certificates to launch man-in-the-middle attacks on Firefox users before the certificates were revoked.

Google, on the other hand, admitted that such attacks had been attempted mainly against Iranian users using the relevant stolen certificate.

To many, the news of another certificate authority being compromised just months after the Comodo debacle is proof that the current system for authenticating web sites is broken.