Mozilla: Sorry, we messed up on SSL cert disclosure
When Mozilla issued Firefox 4 RC 2 last week, the only update was a non-specific SSL cert revocation issue.
At the time, I wrote that I thought it was a big deal, though to be honest, I had no insider information. As it turns out, it was a big deal as the certs in question were from Comodo and affected other major browsers as well. Allegedly the SSL cert issue was an attack perpetrated by the Government of Iran (though I have not seen solid evidence of that myself).
In addition to patching Firefox 4, Mozilla also issued updates for Firefox 3.5 and 3.6.
"As soon as all the patched versions were released, we made a release announcement with some details of the problem," Mozilla stated in a blog post. "Mozilla did not publish the information we received prior to shipping a patch. In early discussions, we were concerned that any indication that we knew about the attack would lead to attackers blocking our security updates as well."
Sounds reasonable enough to me. Though Mozilla now has a different view.
"In hindsight, while it was made in good faith, this was the wrong decision. We should have informed web users more quickly about the threat and the potential mitigations as well as their side-effects."
I disagree on that point.