Flaws in Mozilla's Handling of Security Certificates Discovered and Fixed

Tuesday July 27th, 2004

CNET is reporting that two new flaws in the way Mozilla handles security certificates have been discovered. The more serious vulnerability allows a site to appear to have a security certificate when it does not (bug 253121). The other hole makes it possible for an attacker to overwrite the root certificate authority certificates, causing an error message to appear whenever the user tries to access a (genuine) secure site (bug 249004). Both bugs have now been fixed, but updated end-user releases of Mozilla products are not yet available.

#1 CNet article inaccurate. Get it corrected

by danielwang <>

Tuesday July 27th, 2004 8:22 PM

You are replying to this message

To repeat what I said in <…_date=2004-07-27+20-42-32>

The article recommends that "Web surfers eyeing ... might want to wait a week before making the switch." Note that the IE vulnerabilities that caused US-CERT to recommend browser switching is rated EXTREMELY CRITICAL, whereas the recent shell: vulnerability and the two Mozilla bugs are either "moderately critical" or "less critical."

btw, an Opera phishing bug was also announced yesterday in Full Disclosure

Everyone, please send the author an e-mail to recommand "switching to alternative browsers despite minor security bugs". Also get him to update the article on bug fixes.