Last week we became aware of the existence of several unauthorized security certificates, issued in violation of rules for creation of such certificates. The certificates chained back to a French certificate authority, ANSSI, and had been signed by one of their intermediate certificates. As certificate authorities like ANSSI have the ability to sign trusted certificates for any web site, it is imperative that they follow the rules, so users can trust them and certificates in general.

Opera reacted immediately, by blacklisting the intermediate certificate, done in a regular browser update. This should be pushed to all users automatically, so users need not take any action. Users of Opera 12 also need to take no action, as Opera 12 did not trust ANSSI to begin with. The update demonstrates how Opera can ensure the safety of users, even when CAs misbehave, and even though we no longer operate our own root store. We still have, and will continue to maintain, the ability to override the root store of the underlying operating system, and to blacklist certificates. We expect that such root stores will be updated shortly as well, but we did not want to leave our users affected until such time.

Both ANSSI, and Google, who were the first to notice and who informed us, have posted information about this incident as well. We expect that root store operators will communicate further with ANSSI, in order to determine how this could happen, and to what degree they will trust ANSSI in the future.

Related Posts

Back to top

User comments