Zero Day
Ryan Naraine and Dancho DanchevUpdated: Owner of Firefox's mystery root authority is confirmed
Summary
In a startling revelation, the open-source Mozilla project says that its flagship Firefox browser contains a root certificate authority that doesn’t seem to have a known owner.
Topics
Blogger Info
Ryan Naraine
Biography
Ryan Naraine
Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.
Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.
Dancho Danchev
Biography
Dancho Danchev
Updated: In a startling revelation, the open-source Mozilla project says that its flagship Firefox browser contains a root certificate authority that doesn’t seem to have a known owner.
It’s quite possible that this could be a legitimate root certificate that changed hands during a merger or some other transaction but the fact that Mozilla’s folks can’t seem to figure out the owner is disconcerting on many levels.
Here’s the disclosure by Kathleen Wilson, who serves as a peer for the “CA certificates module” within the Mozilla project:
“…I have not been able to find the current owner of this root. Both RSA and VeriSign have stated in email that they do not own this root.
Therefore, to my knowledge this root has no current owner and no current audit, and should be removed from NSS.”
A separate bug report identifies the root certificate authority as “RSA Security 1024 V3.”
Interestingly, that root certificate authority is shown as valid in Apple’s System Roots but not in Microsoft’s.
The risk of a root certificate authority without a valid owner can lead to all kinds of trust security issues on the fast-growing browser platform.
Mozilla’s own Gervase Markham is worried about the implications:
That’s rather worrying. Do we know for certain that one or other created it originally? Do we know if it’s in any other root stores other than our own?
The lack of transparency in 2002 re: the source of added roots means we have no idea whether e.g. some malicious actor slipped an extra one into whatever list they were keeping internally to Netscape, and has been MITMing people ever since.
UPDATE: Mozilla now says that an official at RSA has confirmed that the root CA authority does belong to RSA. Miscommunication drama.
UPDATE #2: Here is the official explanation of what happened from Mozilla’s Johnathan Nightingale.
Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.
Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.
Disclosure
Ryan Naraine
Biography
Ryan Naraine
Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.
Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.
More from “Zero Day”
Related Discussions on TechRepublic
Did you know you can take part in these discussions with your ZDNet membership?Talkback Most Recent of 58 Talkback(s)
-
The certificate can be disabled but not removed
Editing Firefox's Options or Preferences, drill down through Advanced to Encryption to View Certificates. To disable this iffy certificate, select it, click Edit, uncheck all of the boxes for its trust options, and then OK your way back out.
Yes, there is a Delete option for certificates. But if you select this iffy cert and delete it, you will find that it has returned after Firefox is closed and run again. The difference is that when the cert returns after having been deleted, its trust option checkboxes will have been cleared--that is, the certificate will have been disabled.
Or so it appears.
Mozilla, fix your UI. If you can't or won't do an action we initiate, tell us--and also tell us what you're going to do instead.
TriangleDoor(Edited: 04/06/2010 11:10 AM) -
Remove no problem
I had no difficulty removing the cert.
DoubleChill04/06/2010 01:14 PM -
Did you restart?
As the OP stated, he could delete but the entry was back in the list after a FF restart, although with all trust settings unchecked effectively disabling it.
Old Techie04/07/2010 05:47 AM -
Potentially *really* bad
Let's hope that they uncover the rightful owner
and that this entity turns out to be perfectly
legitimate.
If this was an "extra" root cert which was slipped
in there on purpose, Firefox users have from day
one been exposed to some really bad risks such as
spoofing banks etc.
honeymonster04/06/2010 11:10 AM -
If..
..their DNS server was poisoned, yes, that could happen.
If not, all they have to do is look at the URL bar and make sure it is bank.com and not bank.com.virus.co or something.
AzuMao04/06/2010 02:13 PM -
RE: Mozilla warns of unknown root certificate authority in Firefox
It's hard to believe that both Mozilla and Apple would make the same mistake, so it probably is or was a legitimate root certificate. The question is, why can't Mozilla find in their records how the certificate was added?
steve@...04/06/2010 11:39 AM -
Lack of proper documentation
"The question is, why can't Mozilla find in their records how the certificate was added?"
Happens all the time.
Dr_Zinj04/06/2010 11:44 AM -
Yeah
I'm sure it's (trust apple) fine. I trust Apple. It's there for my own (trust Apple) good, no doubt.
pjdiller04/06/2010 11:58 AM -
RE: Mozilla warns of unknown root certificate authority in Firefox
so how do we fix this?
ajaycee04/06/2010 11:40 AM -
AzuMao04/06/2010 02:15 PM -
@AzuMao - Glad to see you...
are a Comodo supporter!
Isocrates04/06/2010 03:03 PM -
AzuMao04/06/2010 05:06 PM -
Turn off trust bits
fyi:
https://wiki.mozilla.org/CA:UserCertDB#How_Mozilla_Products_Respond_to_User_Changes_of_Root_Certificates
"If you delete a cert in your database, one that is also in the trusted list, it may appear to be completely gone, until you restart your program, at which point it will reappear, because it never left the trusted root list. It may reappear in the trusted root list with the trust flags from that list. That's why we tell people that if they want to get rid of a root, the thing to do is NOT to delete it, but rather is to take away all its trust. (The behavior when a cert is deleted has changed a few times over the years.) "
General rule to follow: turn off all trust bits.
Dietrich T. Schmitz, Linux Advocate04/06/2010 11:43 AM -
THE SKY IS FALLING!!!!!!!!!
run everyone that doesn't understand this!!!
y2k of ssl ooops.....
domma04/06/2010 11:47 AM -
AzuMao04/06/2010 02:18 PM
Talkback - Tell Us What You Think
The best of ZDNet, delivered
ZDNet Newsletters
Get the best of ZDNet delivered straight to your inbox
Facebook Activity
Blog Roll
- All About Microsoft
- The Apple Core
- Between the Lines
- BriefingsDirect
- Collaboration 2.0
- Dev Connection
- A Developer's View
- Digital Cameras & Camcorders
- Ed Bott's Microsoft Report
- Emerging Tech
- Enterprise Web 2.0
- Five Nines: The Next Gen Datacenter
- Forrester Research
- Googling Google
- GreenTech Pastures
- Hardware 2.0
- Home Theater
- iGeneration
- India IT
- Irregular Enterprise
- IT Project Failures
- Laptops & Desktops
- Lawgarithms
- Linux and Open Source
- Managing L'unix
- The Mobile Gadgeteer
- Networking
- On Sustainability
- The Semantic Web
- Service Oriented
- Smartphones and Cell Phones
- Social Business
- Social CRM: The Conversation
- Software & Services Safari
- Software as Services
- Storage Bits
- Team Think
- Tech Broiler
- Tom Foremski: IMHO
- The ToyBox
- Virtually Speaking
- The Web Life
- ZDNet Education
- ZDNet Government
- ZDNet Healthcare
- Zero Day
Blog Archive
White Papers, Webcasts, & Resources
- Live Webcast: Web Performance Monitoring - A Competitive Advantage for SaaS Companies Do you deliver your products or services through the ... (Keynote Systems) Download Now
- Cisco Data Center EthernetCisco has worked very closely with VMware to create new technologies that ... (Global Knowledge) Download Now
- Switching EssentialsSwitching is an interesting topic. It could be an easy thing in your ... (Global Knowledge) Download Now




