Mozilla explains attack
By Pulkit Sharma

Put simply, SSL technology provides for secure, encrypted traffic between a website and a user’s browser.  Like the banks and major technology company’s websites which involve payments of some sort, anyone can get Certificates to set up SSL on their portal after detailed checks and balances from an issuing authority.

In Mid-March, 2011, a hacker from Iran managed to break into issuing authority Comodo and get fraudulent Certificates for the following sites

addons.mozilla.org
login.live.com
mail.google.com
www.google.com
login.yahoo.com (x3)
login.skype.com
global trustee

Again, put simply (so not to bore you with too many technical details) this would have allowed the hacker in Iran  to fool many locals (Human rights activists and Opposition figures?) into logging on to fake Google, Yahoo, Skype and Mozilla sites and thus compromising their logons and passwords.

Mozilla, whose browser Firefox, is the second most popular in the world after IE, has now blogged about how they erred in not warning the public earlier about this security breach

“
On being informed of this issue by Comodo at 9.47pm GMT on 16th March, Mozilla considered a number of technical avenues. Although Comodo’s revocation is a significant mitigating step, we thought that additional measures made sense and eventually decided to hard-code a blacklist of the certificate serial numbers into Firefox. We therefore produced RC2 of Firefox 4 (released as Firefox 4 final on 22nd March), with two additional code patches (1, 2). These patches disable these specific certificates, plus one additional certificate issued to us by Comodo for testing, making a total of 10. These fixes were also included in updates to Firefox 3.5 and 3.6, also released on 22nd March. As soon as all the patched versions were released, we made a release announcement with some details of the problem.

Mozilla did not publish the information we received prior to shipping a patch. In early discussions, we were concerned that any indication that we knew about the attack would lead to attackers blocking our security updates as well. We also recognized that the obvious mitigation advice we might offer (to change Firefox’s security preferences to require a valid OCSP response in all cases, or to remove trust from Comodo’s certificates, or both) risked causing a significant portion of the legitimate web to break as well.

Additionally, neither we nor Comodo have found any evidence of access to their OCSP responder being blocked, either in Iran or anywhere else. We have also found no evidence of any other sort of attack.

In hindsight, while it was made in good faith, this was the wrong decision. We should have informed web users more quickly about the threat and the potential mitigations as well as their side-effects.
“