Mozilla has apologised for not disclosing the security situation caused by the theft of SSL security certificates from a Comodo affiliate.
The online theft occurred on 15 March after a hacker broke into a Southern European affiliate of Comodo and managed to obtain nine SSL certificates in a two-hour breach.
The attack was detected while in progress, and all certificates were immediately revoked, but Mozilla did not release any information, and in fact asked the Tor Project to embargo the information when its staff noticed the changes.
"Mozilla did not publish the information we received prior to shipping a patch. In early discussions, we were concerned that any indication that we knew about the attack would lead to attackers blocking our security updates as well," Mozilla's security team said in a blog post.
"In hindsight, while it was made in good faith, this was the wrong decision. We should have informed web users more quickly about the threat and the potential mitigations as well as their side-effects."
Comodo saia that the choice of target, as well as the location and methods of the attackers, point to its being a state-sponsored attack by the Iranian government. Mozilla, Google, Yahoo and Skype were among the targets.
However, Mozilla also expressed strong reservations about Comodo's certification process and the level of access it allows its affiliates.
The browser maker called for the company to give a full account of the security incident and to tighten its operating procedures.
Geoengineering on the sea floor near glaciers would form a new ice shelf to prevent melting
Alterations in capillary blood flow can be caused by body position change
Curiosity rover is in 'normal mode' but not transmitting scientific data back to base
NatWest outage comes a day after Barclays' IT systems shut out customers and staff