We have received multiple reports of these certificates being used in the wild. It is therefore impossible for us to know how many fraudulent certificates exist, or which sites are targeted.ģ) The attack is not theoretical.
We now know that the attackers also issued certificates from another of DigiNotar’s intermediate certificates without proper logging. While we were initially informed by Google that a fraudulent *. certificate had been issued, DigiNotar eventually confirmed that more than 200 certificates had been issued against more than 20 different domains. This is particularly troubling since some of the certificates were issued for our own domain.Ģ) The scope of the breach remains unknown. DigiNotar detected and revoked some of the fraudulent certificates 6 weeks ago without notifying Mozilla. Three central issues informed our decision:ġ) Failure to notify. Complete revocation of trust is a decision we treat with careful consideration, and employ as a last resort. This is not a temporary suspension, it is a complete removal from our trusted root program. Earlier this week we revoked our trust in the DigiNotar certificate authority from all Mozilla software.
