Certificate update

Last week we became aware of the existence of several unauthorized security certificates, issued in violation of rules for creation of such certificates. The certificates chained back to a French certificate authority, ANSSI, and had been signed by one of their intermediate certificates. As certificate authorities like ANSSI have the ability to sign trusted certificates for any web site, it is imperative that they follow the rules, so users can trust them and certificates in general.

Opera reacted immediately, by blacklisting the intermediate certificate, done in a regular browser update. This should be pushed to all users automatically, so users need not take any action. Users of Opera 12 also need to take no action, as Opera 12 did not trust ANSSI to begin with. The update demonstrates how Opera can ensure the safety of users, even when CAs misbehave, and even though we no longer operate our own root store. We still have, and will continue to maintain, the ability to override the root store of the underlying operating system, and to blacklist certificates. We expect that such root stores will be updated shortly as well, but we did not want to leave our users affected until such time.

Both ANSSI, and Google, who were the first to notice and who informed us, have posted information about this incident as well. We expect that root store operators will communicate further with ANSSI, in order to determine how this could happen, and to what degree they will trust ANSSI in the future.

  • Ra-Mon

    “a regular browser update” link to an Opera 18 Next, released a month ago…
    Is it correct ? Or, is the 3 days old Opera 18 update the good release ?
    http://blogs.opera.com/desktop/2013/12/opera-18-stable-update/ ?
    Where are the detailled changlogs ?

    • Sigbjørn Vik

      Link updated, should be less confusing now. Regarding detailed changelogs, please see this post

      • Ra-Mon

        Thank you !

  • Chas4

    :up: This is a spot for a delta update (can update only the code that needs updating) would be interesting to be able to update the CRL without needing to update the entire browser