Hi there, To be clear: Mozilla does not revoke certificates. In some specific cases (e.g., private browsing), Firefox will refuse to connect to a web site, but this is not the same as the certificate being revoked.
It's possible that we could configure the browser to not connect to known vulnerable sites. However, there's a fair degree of administrative overhead involved in maintaining that list, so I would be inclined to only pursue this option if there were a large number of sites affected or if some especially important sites were affected. Unfortunately, in the context of the web, 738 sites is not that many. I would encourage you to make your case to the CAs that have issued certificates to the vulnerable sites. --Richard On Sep 30, 2014, at 11:15 PM, [email protected] wrote: > According to SSL Pulse there are 738 sites that are vulnerable to Heartbleed: > https://www.trustworthyinternet.org/ssl-pulse/ > > I just don't see how that can be tolerated. I'm assuming this data means we > have sites that are presenting valid certs even though their private keys can > be (and may have already been) compromised. That's not acceptable. > > To get the discussion going, I think one way to move forward is for the > issuing agencies to notify the offending sites that their certificates will > be revoked in, say, 21 days. If a site takes no action then secure > connections will fail after that period, which may or may not be a problem > for those sites. > > If a site wishes to avoid that disruption then the following needs to happen: > apply the relevant patches to the vulnerable system; generate a new > public/private key pair; get a new certificate issued; and finally install > the new cert before the end of the 21 day window. > > > I imagine that could be controversial but we have to start somewhere. So > speak up! > > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
