Zero Day

Ryan Naraine and Dancho Danchev
Home / News & Blogs / Zero Day

Updated: Owner of Firefox's mystery root authority is confirmed

By Ryan Naraine | April 6, 2010, 10:31am PDT

Summary

In a startling revelation, the open-source Mozilla project says that its flagship Firefox browser contains a root certificate authority that doesn’t seem to have a known owner.

Topics

Certification, Mozilla Firefox, Certificate Authority, Web Browsers, Internet, Ryan Naraine

Blogger Info

Ryan Naraine

Biography

Ryan Naraine

Ryan Naraine
Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

Dancho Danchev

Biography

Dancho Danchev

Dancho Danchev
Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog sharing real-time threats intelligence data with the rest of the community on a daily basis. More details on Dancho Danchev's current and past professional affiliations, can be found in his LinkedIn profile. You can also follow him on Twitter
Vendor HotSpot
Here to help you with your Document Management Needs

Read the DocuMentor blog now

Learn More »

Updated: In a startling revelation, the open-source Mozilla project says that its flagship Firefox browser contains a root certificate authority that doesn’t seem to have a known owner.

It’s quite possible that this could be a legitimate root certificate that changed hands during a merger or some other transaction but the fact that Mozilla’s folks can’t seem to figure out the owner is disconcerting on many levels.

Here’s the disclosure by Kathleen Wilson, who serves as a peer for the “CA certificates module” within the Mozilla project:

“…I have not been able to find the current owner of this root. Both RSA and VeriSign have stated in email that they do not own this root.

Therefore, to my knowledge this root has no current owner and no current audit, and should be removed from NSS.”

A separate bug report identifies the root certificate authority as “RSA Security 1024 V3.”

Interestingly, that root certificate authority is shown as valid in Apple’s System Roots but not in Microsoft’s.

The risk of a root certificate authority without a valid owner can lead to all kinds of trust security issues on the fast-growing browser platform.

Mozilla’s own Gervase Markham is worried about the implications:follow Ryan Naraine on twitter

That’s rather worrying. Do we know for certain that one or other created it originally? Do we know if it’s in any other root stores other than our own?

The lack of transparency in 2002 re: the source of added roots means we have no idea whether e.g. some malicious actor slipped an extra one into whatever list they were keeping internally to Netscape, and has been MITMing people ever since.

UPDATE: Mozilla now says that an official at RSA has confirmed that the root CA authority does belong to RSA.  Miscommunication drama.

UPDATE #2: Here is the official explanation of what happened from Mozilla’s Johnathan Nightingale.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a security evangelist. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

More from “Zero Day”

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?
Ask a Question Start a Discussion

Talkback Most Recent of 58 Talkback(s)

View More Comments

Talkback - Tell Us What You Think

advertisement

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
advertisement