Mozilla has apologised for not disclosing the security situation caused by the theft of SSL security certificates from a Comodo affiliate.
The online theft occurred on 15 March after a hacker broke into a Southern European affiliate of Comodo and managed to obtain nine SSL certificates in a two-hour breach.
The attack was detected while in progress, and all certificates were immediately revoked, but Mozilla did not release any information, and in fact asked the Tor Project to embargo the information when its staff noticed the changes.
"Mozilla did not publish the information we received prior to shipping a patch. In early discussions, we were concerned that any indication that we knew about the attack would lead to attackers blocking our security updates as well," Mozilla's security team said in a blog post.
"In hindsight, while it was made in good faith, this was the wrong decision. We should have informed web users more quickly about the threat and the potential mitigations as well as their side-effects."
Comodo saia that the choice of target, as well as the location and methods of the attackers, point to its being a state-sponsored attack by the Iranian government. Mozilla, Google, Yahoo and Skype were among the targets.
However, Mozilla also expressed strong reservations about Comodo's certification process and the level of access it allows its affiliates.
The browser maker called for the company to give a full account of the security incident and to tighten its operating procedures.
TSB IT fiasco has "all the hallmarks of an IT meltdown", claims Treasury Committee chair Nicky Morgan MP
The first appeals over Apple's Irish taxes will take place in the autumn, confirms Ireland's finance minister
Stephenson will design the inside and outside of the futuristic Lillium jet.
The new policy is aimed at making the social network a safer place