Mozilla will ask all certificate authorities to revoke SSL-spying certificates

Mozilla's planned grace period for man-in-the-middle sub-CA certificate revocations could pose issues

Mozilla plans to ask all certificate authorities to review their subordinate CA certificates and revoke those that could be used by companies to inspect SSL-encrypted traffic for domain names they don't control.

The plan, whose details are still being worked out, is Mozilla's response to Trustwave's recent claim that the use of such certificates for SSL (Secure Sockets Layer) traffic management within corporate networks is a common practice.

After a week of debating whether to punish Trustwave for violating its CA Certificate Policy, Mozilla has decided to send out a communication to all certificate authorities requesting them to come clean about similar certificates and to revoke them.

"My intent is to make it clear that this type of behavior will not be tolerated for subCAs chaining to roots in NSS [Mozilla's Network Security Services], give all CAs fair warning and a grace period, and state the consequences if such behavior is found after that grace period," said Kathleen Wilson, the owner of Mozilla's CA Certificates Module, in an entry on Bugzilla.

The grace period extended to CAs for the revocation of sub-CA certificates currently used for the inspection of SSL-encrypted traffic on corporate networks has not been decided yet, but according to Wilson, a time frame of two or three months is being considered.

After that, anyone caught with such a certificate would have their root key removed from Mozilla's products and all certificates they ever signed would result in an error when opened in the browser.

A grace period is necessary because the companies that deployed traffic-monitoring products with sub-CA certificates on their networks are probably very large enterprises that would need time to implement alternative solutions, Wilson said on the mailing list.

However, according to Amichai Shulman, chief technology officer at security firm Imperva, three months will probably not be enough to accommodate such changes. Six months would be more reasonable, he said.

Many companies that inspect SSL-encrypted traffic on their networks in order to prevent data leaks or detect internal policy violations, generate their own root certificate and deploy it on all of their end-point devices. The time required to do this varies depending on the number of devices and their type.

Shulman was surprised to hear Trustwave's claim that this is a common practice in the industry, because in his opinion the use of sub-CA certificates for the purpose of monitoring enterprise communications is irresponsible, given the worldwide implications of such a certificate being stolen.

Mozilla is right in demanding this practice to stop, he said. However, he doubts that the company can enforce a change without help from other browser vendors.

That's because removing a CA certificate from its products for a policy violation will result in users not being able to access websites secured with certificates issued by that particular CA. Unless users will receive similar certificate errors in other browsers, they'll think it's a problem will Firefox and switch to something else, Shulman said.

Other people participating in the discussion on the mailing list don't agree that CAs should be offered a grace period. One argument is that companies engaged in man-in-the-middle SSL traffic inspection could simply stop doing it until they roll out an alternative solution.

Others feel that Mozilla shouldn't send a communication to CAs for the sole purpose of requesting disclosure of something that clearly violates their policy.

"Look, Mozilla has a policy, there is no reason to require something that doesn't comply to the policy anyway," said Eddy Nigg, CTO of StartCom and StartSSL in an email to the mailing list. "The policy hasn't changed and I'd advise Mozilla to apply its own policy, simply as that."

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill


I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?