ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

Updated: Owner of Firefox's mystery root authority is confirmed

By | April 6, 2010, 10:31am PDT

Summary: In a startling revelation, the open-source Mozilla project says that its flagship Firefox browser contains a root certificate authority that doesn’t seem to have a known owner.

Updated: In a startling revelation, the open-source Mozilla project says that its flagship Firefox browser contains a root certificate authority that doesn’t seem to have a known owner.

It’s quite possible that this could be a legitimate root certificate that changed hands during a merger or some other transaction but the fact that Mozilla’s folks can’t seem to figure out the owner is disconcerting on many levels.

Here’s the disclosure by Kathleen Wilson, who serves as a peer for the “CA certificates module” within the Mozilla project:

“…I have not been able to find the current owner of this root. Both RSA and VeriSign have stated in email that they do not own this root.

Therefore, to my knowledge this root has no current owner and no current audit, and should be removed from NSS.”

A separate bug report identifies the root certificate authority as “RSA Security 1024 V3.”

Interestingly, that root certificate authority is shown as valid in Apple’s System Roots but not in Microsoft’s.

The risk of a root certificate authority without a valid owner can lead to all kinds of trust security issues on the fast-growing browser platform.

Mozilla’s own Gervase Markham is worried about the implications:follow Ryan Naraine on twitter

That’s rather worrying. Do we know for certain that one or other created it originally? Do we know if it’s in any other root stores other than our own?

The lack of transparency in 2002 re: the source of added roots means we have no idea whether e.g. some malicious actor slipped an extra one into whatever list they were keeping internally to Netscape, and has been MITMing people ever since.

UPDATE: Mozilla now says that an official at RSA has confirmed that the root CA authority does belong to RSA.  Miscommunication drama.

UPDATE #2: Here is the official explanation of what happened from Mozilla’s Johnathan Nightingale.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Certification, Mozilla Firefox, Certificate Authority, Web Browsers, Internet, Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a member of the global research and analysis team. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?
Ask a Question Start a Discussion
59
Comments
Add Your Opinion

Join the conversation!

Just In

RE: Mozilla warns of unknown root certificate authority in Firefox
efsane Updated - 9th Apr 2011
Well done! Thank you very much for professional templates and community edition
sesli sohbet sesli chat
View in thread
0 Votes
+ -
The certificate can be disabled but not removed
TriangleDoor Updated - 6th Apr 2010
Editing Firefox's Options or Preferences, drill down through Advanced to Encryption to View Certificates. To disable this iffy certificate, select it, click Edit, uncheck all of the boxes for its trust options, and then OK your way back out.

Yes, there is a Delete option for certificates. But if you select this iffy cert and delete it, you will find that it has returned after Firefox is closed and run again. The difference is that when the cert returns after having been deleted, its trust option checkboxes will have been cleared--that is, the certificate will have been disabled.

Or so it appears.

Mozilla, fix your UI. If you can't or won't do an action we initiate, tell us--and also tell us what you're going to do instead.
0 Votes
+ -
Remove no problem
DoubleChill 6th Apr 2010
I had no difficulty removing the cert.
0 Votes
+ -
Did you restart?
Old Techie 7th Apr 2010
As the OP stated, he could delete but the entry was back in the list after a FF restart, although with all trust settings unchecked effectively disabling it.
0 Votes
+ -
Potentially *really* bad
honeymonster 6th Apr 2010
Let's hope that they uncover the rightful owner
and that this entity turns out to be perfectly
legitimate.

If this was an "extra" root cert which was slipped
in there on purpose, Firefox users have from day
one been exposed to some really bad risks such as
spoofing banks etc.
0 Votes
+ -
If..
AzuMao 6th Apr 2010
..their DNS server was poisoned, yes, that could happen.

If not, all they have to do is look at the URL bar and make sure it is bank.com and not bank.com.virus.co or something.
0 Votes
+ -
RE: Mozilla warns of unknown root certificate authority in Firefox
steve@... 6th Apr 2010
It's hard to believe that both Mozilla and Apple would make the same mistake, so it probably is or was a legitimate root certificate. The question is, why can't Mozilla find in their records how the certificate was added?
0 Votes
+ -
Lack of proper documentation
Dr_Zinj 6th Apr 2010
"The question is, why can't Mozilla find in their records how the certificate was added?"

Happens all the time.
0 Votes
+ -
Yeah
pjdiller 6th Apr 2010
I'm sure it's (trust apple) fine. I trust Apple. It's there for my own (trust Apple) good, no doubt.

happy
0 Votes
+ -
RE: Mozilla warns of unknown root certificate authority in Firefox
ajaycee 6th Apr 2010
so how do we fix this?
0 Votes
+ -
Here you go
AzuMao 6th Apr 2010
Tutorial from Comodo


Just go to the "Authorities" tab instead of "Your Certificates"
0 Votes
+ -
@AzuMao - Glad to see you...
Isocrates 6th Apr 2010
are a Comodo supporter!
0 Votes
+ -
Turn off trust bits
Dietrich T. Schmitz, Linux Advocate 6th Apr 2010
fyi:

https://wiki.mozilla.org/CA:UserCertDB#How_Mozilla_Products_Respond_to_User_Changes_of_Root_Certificates

"If you delete a cert in your database, one that is also in the trusted list, it may appear to be completely gone, until you restart your program, at which point it will reappear, because it never left the trusted root list. It may reappear in the trusted root list with the trust flags from that list. That's why we tell people that if they want to get rid of a root, the thing to do is NOT to delete it, but rather is to take away all its trust. (The behavior when a cert is deleted has changed a few times over the years.) "

General rule to follow: turn off all trust bits.
0 Votes
+ -
THE SKY IS FALLING!!!!!!!!!
domma 6th Apr 2010
run everyone that doesn't understand this!!!
y2k of ssl ooops.....
0 Votes
+ -
The y2k of SSL happened a long time ago.. when a cluster of Linux PS3s..
AzuMao 6th Apr 2010
.. cracked the MD5 of a trusted root authority that had EV SSL privileges.
0 Votes
+ -
@King of the Sea - Thanks for the...
Isocrates 6th Apr 2010
info and link.

However, I do appreciate domma's poke at the
fearful man or woman who reacts before conducting
careful, logical research. Now, with the
revelation that the certificate is legitimate, all
those who might have removed its trust or,
possibly, actually deleted the certificate must
undo their hasty actions.
0 Votes
+ -
It gets re-added when you restart Firefox.
AzuMao 6th Apr 2010
0 Votes
+ -
True, but it was reported above that the trust will be unselected. [nt]
Isocrates 6th Apr 2010
nt
0 Votes
+ -
If you unselected it, yes. If you just deleted it, no.
AzuMao 6th Apr 2010
0 Votes
+ -
Yes, the article
Mahegan 9th Apr 2010
http://blogs.zdnet.com/security/?p=2339&tag=nl.e550
0 Votes
+ -
y2k . . .
CobraA1 6th Apr 2010
y2k could've been theoretically worse, and IMO
it was a non-event mostly due to the fact that
everybody knew it was coming and everybody had
it fixed before it hit.

Would it have really been a cataclysm if it
wasn't fixed? Probably not, but it could have
made a good news day.

I did hear a couple stories afterwards about
y2k, but nothing major. But maybe signs that it
could've been worse.

In any case - ZDNet definitely suffers from an
eternal case of y2k - trying desperately to
make news out of stuff that really isn't a big
deal when you look back and reflect on it.
0 Votes
+ -
RE: Mozilla warns of unknown root certificate authority in Firefox
slingzenarrowzuvowtrayjissforchin 6th Apr 2010
Jeez...that's pretty scary. Somebody at MoFo is asleep at the switch.

I just checked SeaMonkey's list of certificate authorities (v2.0.4), and the renegade CA is listed thee. It's also listed in Thunderbird v3.0.1.
It's a relatively simple matter to edit the trust settings to "untrust" the CA.

But still...sheesh...
0 Votes
+ -
Where ?
Ashtonian 6th Apr 2010
Where is this in Firefox please?
0 Votes
+ -
Here
ejhonda 6th Apr 2010
Tools > Options > Advanced button > Encryption tab > View Certificates button > Authorities tab > scroll down to "RSA Security Inc" entries, and look for the "RSA Security 1024 v3" certificate. There's also one there labeled "RSA Security 2048 v3" that seems to have the same credentials, so that may be suspect to.
0 Votes
+ -
RE: Here
fatman65535 Updated - 6th Apr 2010
Thanks for the info, but I found the navigation to start with: Edit > Preferences for both Firefox 3.6 and Thunderbird 3.0.
0 Votes
+ -
Hmm...
ejhonda 6th Apr 2010
Not in FF 3.6.3 on Windows. What platform are you on?
0 Votes
+ -
*nix
Real World 6th Apr 2010
It's Edit|Preferences (Netscape-style) on Linux.
0 Votes
+ -
And that unknown root certificate authority is .....??
tobyz 6th Apr 2010
My Firefox has dozens of root certificates, many from Europe and Asia, some from U.S. corporations such as AOL Time Warner.

It's one thing to know how to turn off a certificate. It's another thing to know which one to turn off.

What certificate are we talking about here?
0 Votes
+ -
See response above
ejhonda 6th Apr 2010
Or here: http://blogs.zdnet.com/hardware/?p=7942&tag=content;col1
0 Votes
+ -
yes, confusing isn't it.
seannj427 6th Apr 2010
My firefox install has 2 certs by "RSA SECURITY"
1) RSA Security 2048 V3
2) RSA Security 1024 V3

Cert #1 can be installed by Vista x64 as a trusted cert in the certificate store without issues.
Here is the info that Vista has (when you open the cert with cryto shell extensions)
Ensures the identity of a remote computer
Proves your identity to a remote computer
Protects e-mail messages
Ensures software came from software publisher
Protects software from alteration after publication
Allows data to be signed with the current time
All issuance policies"
There is no certification path available. Also no issuer statement. It's quite frankly a badly formed cert but may not be hazardous. On the other hand IF the issuer is a hacker or mafia organization, then there could be problems.

Cert #2 listed above is NOT trusted by Vista.
"This CA Root certificate is not trusted. To enable trust, install this certificate in the Trusted Root Certification Authorities store.".

Both of the certs are poorly formed. By the way, RSA is now owned by EMC. So I'm sure that the person or people who did this were RIF'd a long time ago and no one there knew about it...

The register has more info on this item:
http://www.theregister.co.uk/2010/04/06/mysterious_mozilla_apple_certificate/


-Sean
0 Votes
+ -
RE: Mozilla warns of unknown root certificate authority in Firefox
dimonic 6th Apr 2010
It would appear that that certificate may have been traded to Valicert, and incorrectly named in the cert stores.

Most likely from this information, it was (once) a legit cert. that was just screwed up by a clerical error. As was noted in the bug-report thread, this error was diagnosed in 2006 in the Debian community.

It would seem the Windows port combines all the .pem files into a single database. I would argue that the code that does this is too forgiving of badly named/formed certs, and should have been rejecting this one all along.
0 Votes
+ -
Thanks. Nice post.
Isocrates 6th Apr 2010
No longer a serious concern, but I agree with your
assessment.
0 Votes
+ -
RE: Mozilla warns of unknown root certificate authority in Firefox
hannibal000 6th Apr 2010
so what should we do and how should we do it??
0 Votes
+ -
Do nothing. Stop worrying about it.
Isocrates 6th Apr 2010
Ryan Naraine (2010, April 6) writes,
"UPDATE: Mozilla now says that an official
at RSA has confirmed that the root CA
authority does belong to RSA.
Miscommunication drama" (Emphasis added) (Updated:
Owner of Firefox's mystery root authority is
confirmed. Zero Day. Retrieved April 6, 2010, from
http://blogs.zdnet.com/security/?p=6016).
0 Votes
+ -
Right in their documentation
MoeFugger 6th Apr 2010
I found this in their own documentation.
Found them both right here.
They are listed in their documentation.


THE RSA ROOT SIGNING SERVICE
Certification Practice Statement
For RSA Certificate Authorities (CAs)
Last Revision Date: June 28, 2007
Version: 3.0
Published By:
RSA Security Inc.



The CRL access is at the following URLs:
http://www.rsasecurity.com/products/keon/repository/certificate_status/Valicert_Root_CA.CRL
http://www.rsasecurity.com/products/keon/repository/certificate_status/RSA_Public_Root_CA.CRL
http://www.rsasecurity.com/products/keon/repository/certificate_status/RSA_Security_2048_v3.CRL
http://www.rsasecurity.com/products/keon/repository/certificate_status/RSA_Public_Root_CA_v2.crl
The CRL distribution point will be identified in every certificate.
0 Votes
+ -
What about RSA Security 2048 V3 ???
TxM2xTx Updated - 6th Apr 2010
Never mind ... found answer in the other ZDnet posting.

2048 appears to be ok....
RSA lists it in their audit.

Seems the 1024 cert is seen as valid by Apple, but not Microsoft.

http://blogs.zdnet.com/security/?p=6016&tag=wrapper;col1
Posted by: ShadowGIATL Posted on: 04/06/10 (Edited: 04/06/2010 @ 10:52)
0 Votes
+ -
Easter bunny owns it
TxM2xTx 6th Apr 2010
Did this come to light with Easter ?
0 Votes
+ -
No, April 1st
Old Techie 7th Apr 2010
It's the Elbonians' first volley in the latest cyberwar.
0 Votes
+ -
RE: Mozilla warns of unknown root certificate authority in Firefox
green alien 6th Apr 2010
NSA...
0 Votes
+ -
Adrian Kingsley-Hughes beat ya to it, posting it on ZDnet
TxM2xTx 6th Apr 2010
http://blogs.zdnet.com/hardware/?p=7942&tag=trunk;content
0 Votes
+ -
Sorry... false alarm
Samun56 6th Apr 2010
Katleen just posted the following message:

>I have received email from official representatives of RSA confirming
>that RSA did indeed create the "RSA Security 1024 V3" root certificate
>that is currently included in NSS (Netscape/Mozilla) and also in Apple's
>root cert store.
0 Votes
+ -
So, should it be turned back on?
Bill4 6th Apr 2010
You can't delete it but the edit trust settings are all unchecked, as other have reported. Shutting it off hasn't had any apparent effects yet.
0 Votes
+ -
The only possible negative effect is if you go to a website signed with it
AzuMao 6th Apr 2010
you will get a warning message saying "untrusted SSL certificate do you want to make an exception or block this page" or some-such.
0 Votes
+ -
!! >>> This is a False Alarm !!
trog7 Updated - 6th Apr 2010
!! >>> This is a False Alarm !!
I don't see any reason to continue this Blog.

"quote "
Kathleen Wilson
More options Apr 6, 3:22 pm
Newsgroups: mozilla.dev.security.policy
From: Kathleen Wilson
Date: Tue, 06 Apr 2010 12:22:04 -0700
Local: Tues, Apr 6 2010 3:22 pm
Subject: Re: Recommend Removing RSA Security 1024 V3 root certificate authority

I have received email from official representatives of RSA confirming
that RSA did indeed create the "RSA Security 1024 V3" root certificate that is currently included in NSS (Netscape/Mozilla) and also in Apple's root cert store.
"end quote"

http://groups.google.com/group/mozilla.dev.security.policy/browse_thread/thread/b6493a285ba79998/26fca75f9aeff1dc
0 Votes
+ -
False alarm.
markflax 6th Apr 2010
As has been said here previously, this is now confirmed as a false alarm. In the Mozilla discussion group Kathleen Wilson says;

"I have received email from official representatives of RSA confirming that RSA did indeed create the "RSA Security 1024 V3" root certificate that is currently included in NSS (Netscape/Mozilla) and also in Apple's
root cert store."

This seems to me more a failure of RSA that of Mozilla in that RSA initially indicated the CA was not theirs.

The discussion group thread here;
http://groups.google.com/group/mozilla.dev.security.policy/browse_thread/thread/b6493a285ba79998/26fca75f9aeff1dc#26fca75f9aeff1dc

Mark
0 Votes
+ -
RE: Mozilla warns of unknown root certificate authority in Firefox
NBSF 6th Apr 2010
If ZDNet has any shred of journalistic integrity, the entire story would be immediately expunged from the website, as it is totally unwarranted to leave it up! Most readers won't bother to read the entire story, nor the feedback, so ZDNet is unjustly impugning the reputation of the Mozilla Group! Yellow Journalism!
0 Votes
+ -
They put an "update" headline on it
Greenknight_z 7th Apr 2010
Even if you only read the headline, you learn it was a false alarm. Good enough for me.
0 Votes
+ -
Already a known fact
MoeFugger 6th Apr 2010
I posted that several times in ZDNet.
It is right there in their documentation.
It took me ten min or so to find it.
Someone just crying wolf.
0 Votes
+ -
Microsoft fails to include valid root certificate authority
Robert Hahn 6th Apr 2010
That's what it says here.
0 Votes
+ -
Pushing blame is not the answer.
CobraA1 6th Apr 2010
Pushing blame is not the answer here. The problem
is, there are no standards for checking the
certificates and no central repository of trusted
root authorities. It could very well be the RSA
simply never gave Microsoft those certificates.
0 Votes
+ -
RE: Mozilla warns of unknown root certificate authority in Firefox
efsane Updated - 9th Apr 2011
Well done! Thank you very much for professional templates and community edition
sesli sohbet sesli chat

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix