On June 18, 2022, we determined that an unauthorized party accessed certain of our systems used for internal operations – functions such as HR, finance, and marketing. We promptly began an investigation with the assistance of a leading third-party cybersecurity firm and have informed law enforcement.
While our investigation is ongoing, we have found no indication to date that the issue has affected the operation or security of our products and services, which are run in separate environments from our internal systems and are fully operational. Regarding our Public Certification Authority - all roots are offline and require multiple security cleared people be physically present in a secure room to access.
We take seriously our responsibility to protect our systems and have been engaged with our customers on the issue.
As stated, there was no impact to our roots as the roots are offline and can only be accessed if two people are physically present in a secure room. Also, our PKI system is on a separated infrastructure, so was not accessed.
Since there has been no impact to our PKI and certificate issuance systems, which use roots distributed by your application, we did not raise an incident.
Given news that Entrust were subject to a ransomware attack, which until now they have not confirmed or given any details on in public - what point do we need to assume the CAs and CA operations are compromized?Should action be taken by Mozilla to eliminate risk and remove trust in root authority?
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/zEcsmYjEJdXUd-H8gWEsBaGnIx44oLKyjOHxvd7edfkpHSc58eRxXoWH7sfZot5hWqBNaPe-7topJps-0YQQedb1UvuUwvBe4T43dNoSALE%3D%40proton.me.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaZmE5vqWKiyXwWHbz-AV5piXM0oshc%3DoVrAAw3MVh_NHw%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAMm%2BLwg6cvDrck2dK-6wxXxEj_sRBpUeA8q16dbWjpJRURA-UA%40mail.gmail.com.
I agree that even considering removing a CA just because of a compromise unrelated to CA infrastructure is completely inappropriate if the breach has been handled well.As long as a breach is handled properly and learned from, there should be no reason to take such drastic measures, especially if no misissuance occurred. At least this allows for security problems to be resolved.If we remove every CA that ever had any incident of any kind, we will end up with only new CAs that likely have even more security problems, just ones no one has discovered yet.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/ac21e5cc-5c5f-483e-b2ea-8305e929728bn%40mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAKtZuQ5XF-7pFkfYsvZ8P%2B-HJ2qe8kLwwjxtChPt3wmSR8718A%40mail.gmail.com.