Samuel Sidler

Back when I was working at Mozilla, there was quite a bit of discussion about user choice, specifically how important it is for users to be able to choose their browser. Often, this discussion was tied to the Mozilla Manifesto, point 5:

Individuals must have the ability to shape their own experiences on the Internet.

Back in February 2010 (a couple months after I left Mozilla), Mozilla launched the “Open to Choice” campaign (since shuttered), which was a great place to send individuals to show them why the ability to choose your own browser is important. The campaign was mostly tied to Microsoft’s settlement with the European Union and its requirement to offer a selection of browsers to choose from during setup. Here’s Mozilla’s then-CEO John Lilly on why browser choice matters:

(Side note: the Open to Choice campaign has been shut down and wasn’t archived, unlike most other Mozilla sites. Going to opentochoice.org leads to a bad https site, and then a 403. I would love to read the letter from John Lilly and Mitchell Baker again.)

As an iPhone user, I’m more-or-less stuck with Safari. Sure, I can find numerous browsers in the App Store, Chrome included. But the browsers in the app store are mostly just embedded version of WebKit – a limited version of WebKit at that. Why can’t I run Firefox on my iPhone? Why can’t I run a real version of Chrome? Apple has locked out browser makers by making specific requirements of the applications in the App Store and making the App Store the only way to distribute apps. Short of jailbreaking my iPhone and hoping Mozilla or Google port their respective browsers to jailbroken iPhones, there’s nothing I can do.

Prior to my iPhone, however, I had a Google Nexus One phone. One of the features of Android is the “open” Android Market and the ability to install applications from any source. Back then, I wasn’t locked in to any specific browser. In fact, I ran Firefox on my Nexus One and was quite happy with it, even back in the days of Firefox being incredibly slow on Android. The situation has gotten even better with Google shipping a version of Chrome for Android. It isn’t hard to imagine another browser running on the platform some time in the future.

Last year, in May 2012, Harvey Anderson, Mozilla’s General Counsel, wrote about the lack of browser choice on Microsoft’s Windows RT, an ARM-specific operating system tailored for tablets. He conclusion is quite clear:

The prospect that the next generation of Windows on ARM devices would limit users to one browser is untenable and represents a first step toward a new platform lock-in.

But the upcoming Firefox OS, built on Mozilla technology (namely Gecko), doesn’t appear to have any browser choice (as John Gruber pointed out a couple days ago). Is this an oversight or are developers working on the ability to allow browsers to run successfully on Firefox OS? And what about Chrome OS – why hasn’t Mozilla publicly asked for browser choice from Google?

Even webOS – Palm’s HP’s LG’s ill-fated operating system built on Linux and WebKit – had a method for porting browsers. In fact, a Mozilla developer started an experimental Firefox port a while ago. That experiment ended, likely because it isn’t important to port Firefox to a dying platform, but the point remains that it was possible.

I’ll ask again: where is the ability to select a third party browser on Firefox OS? Is this ability being planned in the future? And why has there been no advocacy against Chrome OS for its lack of browser choice? It all feels rather hypocritical to me.

There’s been a lot written about the most recent Comodo certificate compromise including two Mozilla Security Blog posts on the topic, but I have yet to see a concise timeline of the events. As a former Mozilla security release coordinator, I’ve been following this topic closely and wanted to write up my thoughts, as well as a full timeline.

A good write up of the issue is available on the Mozilla Security Blog, as well as on the Tor blog, where Jacob Appelbaum did excellent detective work to find this issue long before it was publicly disclosed. I also want to mention bug 642395 in which details are emerging about a hacker claiming to be responsible for the compromise.

Timeline

• 15 March, 18:00-20:00 – Certificates issued.
• T+0d, 0h, 15m – Comodo revokes certificates.
• T+1d, 1h, 32m – Mozilla informed of issue with initial list of certificates.
• T+1d, 4h, 33m – Google lands initial fix in Chrome’s tree.
• T+1d, 13h, 29m – Mozilla bug filed.
• T+1d, 21h, 59m – Comodo confirms most major browser vendors aware of the issue.
• T+1d, 23h, 44m – Chrome update with initial fix available.
• T+2d, 1h, 38m – Mozilla lands initial fix on main development trunk and Firefox 4 branch.
• T+2d, 13h, 29m – Comodo informs Mozilla of two additional certificates to block.
• T+2d, 15h, 33m – Mozilla lands additional fix on main trunk and Firefox 4 branch.
• T+2d, 19h, 59m – Google lands additional fix in Chrome’s tree.
• T+3d, 16h, 45m – Confirmation that Apple is aware of the issue.
• T+3d, 23h, 20m – Mozilla lands initial fix and additional fix on Firefox 3.5 and 3.6 branches.
• T+6d, 17h, 44m – Firefox 4 with fixes available.
• T+7d, 6h, 30m – Firefox 3.5.18 and 3.6.16 with fixes available.
• T+7d, 7h, 12m – Mozilla announces certificate issue, without details.
• T+7d, 20h, 44m – Microsoft issues fixes.
• T+9d, 1h, 16m – Chrome update with additional fix available.
• T+9d, 19h, 23m – Mozilla announces details of certificate issue.

Some notes about the above timeline:

1. All times in UTC.
2. T+0 is 15 March, 20:00 since that’s seemingly when the last certificate was issued.
3. The “initial fix” listed is a patch blacklisting the initial 7 certificates that Comodo informed vendors about.
4. The “additional fix” listed is a patch blacklisting the additional 2 certificates that Comodo informed vendors about.
5. Details about when vendors other than Mozilla were alerted to the issue are hard to find.

There’s a lot to say about this event, much of which has already been said. Before talking about timeline, I think it’s important to call out Comodo for both their good and bad work in this instance.

To save face, Comodo could have simply revoked the certificates and dealt, in private, with the RA that issued the certificates. Those outside of the open source world know how hard it is to come clean, publicly, for something that can be kept private. Kudos to them for contacting browser vendors and ensuring a fix made it out fast.

That said, this isn’t the first problem Comodo has had. Previously Comodo allowed issuance of a www.mozilla.com certificate, allowing domain verification to be done by their RA.

(I could also mention bug 526560 but that wouldn’t be entirely fair to Comodo since other CAs are doing the same thing. While this is blatantly against Mozilla’s CA Policy, Mozilla has decided not to enforce such issues. The open bug on enforcing section 7 is 567193.)

Of course everyone is focusing on Comodo right now. I’d like to focus on the browser vendors and their reactions to this threat.

From the timeline, it’s fairly clear that one browser vendor has taken the longest getting this issue fixed. No surprise here, that vendor is Apple. I yearn for the day when Apple takes security seriously. Unfortunately, I think I’ll be yearning for a long, long time.

It’s also clear that Google responded fastest, issuing a fix to its users less than 48 hours after the attack. While we don’t know for sure when they were contacted, we can assume it was around the time Mozilla was contacted. It’s clear they went into overdrive and released a stable version of Chrome blacklisting the bad certificates less than 24 hours after being informed of the issue. Sadly, Google didn’t know that Comodo would later realize they had failed to disclose two additional fraudulent certificates to browser vendors. They issued a fix for those two certificates seven days later.

Mozilla has often worked that fast to fix critical security issues, but in this case didn’t. While they quickly decided to rebuild the Firefox 4 release candidate to include the blacklisted certificates, it still took a full six days before a fix was in the hands of users, in the form of Firefox 4 and later Firefox 3.5.18 and 3.6.16. During this time, all users were theoretically at risk.

Comodo has said that there is no evidence of any of the bad certificates being used in the wild, based on their OCSP responder logs. Of course, OCSP pings can be stopped with a MitM attack, something any state-driven attack — as Comodo claims this is likely to be — could easily do. (Read more on revocation and its shortfalls.)

Mozilla also decided not to disclose this issue publicly until a fix was release. They have since apologized for waiting so long but I think the bigger story is how long it took to get a fix out in the first place. While Google jumped to protect Chrome users, Mozilla waited almost six days before issuing a fix to users.

Attacks like this are often targeted at a specific group of users and this one was likely the same. We will likely never know all the details but there are a few questions and takeaways from this event that we should look at closely and take very seriously.

1. Revocation clearly doesn’t work right now. At what point will browsers fail on revocation errors?
2. Mozilla has always held openness and security as two of its main mantras. In this instance, they failed at both, not informing users of a targeted attack immediately and not issuing a security fix for almost six days. Sometimes waiting for everyone else isn’t “responsible disclosure.”
3. Comodo has never had full control over its RAs – something likely true of many CAs – and is increasingly causing critical security issues for users worldwide. The larger your network of RAs, the larger your threat vector.

I’m actually a bit disappointed at Mozilla’s performance during this event and I hope they take such compromises more seriously in the future. Regardless, there are lessons to be learned at each step of the way by all parties involved.