This account buries the lede in investigation details.
The key points (if I understand correctly) are:
Fraudulent SSL certificates, trusted by all but the very latest browser versions, were obtained by unauthorized parties for 7 hostnames: 'addons.mozilla.org' and 6 others not yet known (but possibly 'high-value' sites like "Facebook, Skype, Google, Microsoft, Mozilla").
The possessor(s) of these rogue certificates could plausibly impersonate those sites in HTTPS traffic, except with regard to the very latest browser releases. (The latest Chromium/Chrome and Firefox for the first time include a certificate blacklist in their source code, and noticing this change began the author's investigation.)
Traditional certificate-revocation methods are supposed to prevent this, but can be made to fail silently, indefinitely, by the same sorts of attackers who can intercept and alter other traffic. Thus older browsers may continue to be subject to such impersonation indefinitely.
All the compromised certificates appear to have been issued by a company called USERTRUST from Utah, a reseller/delegated-authority via Comodo. It is speculated that a "state level adversary" could have been responsible for the creation of the illegitimate certificates. There's been no official statement by the Certificate Authorities; the above was deduced from the source code changes and data in the EFF's 'SSL Observatory'. Mozilla has issued a statement on their security blog:
I wonder if comodo is an RSA secureid customer. Odds are they are.
Comodo revoked the certificates on the 15th, RSA announced their compromise on the 17th, but presumably rsa et al. were aware some days before the announcement.
It could certainly possibly be the Chinese government, but there's no evidence linking them and there seem to be easier ways for the Chinese to get their hands on a CA. (They already have one, and are you really willing to bet that no other CA is willing to give out a copy of their key for "law enforcement purposes" and a big pile of money?)
The key points (if I understand correctly) are:
Fraudulent SSL certificates, trusted by all but the very latest browser versions, were obtained by unauthorized parties for 7 hostnames: 'addons.mozilla.org' and 6 others not yet known (but possibly 'high-value' sites like "Facebook, Skype, Google, Microsoft, Mozilla").
The possessor(s) of these rogue certificates could plausibly impersonate those sites in HTTPS traffic, except with regard to the very latest browser releases. (The latest Chromium/Chrome and Firefox for the first time include a certificate blacklist in their source code, and noticing this change began the author's investigation.)
Traditional certificate-revocation methods are supposed to prevent this, but can be made to fail silently, indefinitely, by the same sorts of attackers who can intercept and alter other traffic. Thus older browsers may continue to be subject to such impersonation indefinitely.
All the compromised certificates appear to have been issued by a company called USERTRUST from Utah, a reseller/delegated-authority via Comodo. It is speculated that a "state level adversary" could have been responsible for the creation of the illegitimate certificates. There's been no official statement by the Certificate Authorities; the above was deduced from the source code changes and data in the EFF's 'SSL Observatory'. Mozilla has issued a statement on their security blog:
https://blog.mozilla.com/security/2011/03/22/firefox-blockin...