Weekly Edition
Return to the Security page
| |||||||||||||
|
| |||||||||||||
Unknown root certificate in Firefox
The Mozilla project has disclosed
that Firefox currently contains a root certificate authority that nobody
knows anything about. "I have not been able to find the current
owner of this root. Both RSA and VeriSign have stated in email that they do
not own this root. Therefore, to my knowledge this root has no current
owner and no current audit, and should be removed from NSS." It
seems past time for the user community to start paying more attention to
the root certificates accepted by our browsers.
(Log in to post comments)
Disable it.... Posted Apr 6, 2010 14:55 UTC (Tue) by rfunk (subscriber, #4054) [Link]
Edit -> Preferences -> Advanced -> Encryption -> View Certificates
Scroll down to "RSA Security Inc", click on "RSA Security 1024 v3". Edit. Uncheck the three checkboxes and hit OK.
Unknown root certificate in Firefox Posted Apr 6, 2010 14:59 UTC (Tue) by bboissin (subscriber, #29506) [Link]
Is there a project to actively scan https website and record who is signed
by who? It would be very interesting to know if any website was signed by this cert.
Unknown root certificate in Firefox Posted Apr 6, 2010 16:37 UTC (Tue) by Kit (guest, #55925) [Link]
A project that records the certificates held by different websites would be fairly useful. It could be used in situations like this to see who even uses this cert (as well as the other certs in NSS's database).
It could also be used by a browser plugin to help detect man in the middle attacks by rogue CAs (some heuristics could help prevent false positives, such as a changing cert when the prior one was about to expire is less warning-tastic). The browser plugin could help distribute the 'load' of scanning all those https sites, by (optionally) reporting back the certs it sees and the time stamps- which would be a useful thing to do for those that think, say, that the recently added Chinese CA will use it for malicious purposes to capture and record if they actually are.
Unknown root certificate in Firefox Posted Apr 6, 2010 16:05 UTC (Tue) by Trelane (subscriber, #56877) [Link]
The bug for this: https://bugzilla.mozilla.org/show_bug.cgi?id=549701
The commit bug, apparently: https://bugzilla.mozilla.org/show_bug.cgi?id=139874
Unknown root certificate in Firefox Posted Apr 6, 2010 16:35 UTC (Tue) by Simon80 (guest, #50887) [Link]
If the fear is of someone using this root certificate to enable a man-in-the-middle attack, it's possible to configure the Perspectives extension to watch out for that sort of attack (assuming it works as advertised).
I think that Mozilla should consider adding similar functionality to core Firefox, because most of the users that stand to benefit from more thorough SSL cert verification aren't necessarily aware that there's a problem.
Might be just badly documented, not "unknown" Posted Apr 6, 2010 16:48 UTC (Tue) by dwheeler (guest, #1216) [Link]
It may be that at least one is just badly documented, not "unknown".
If you look here:
You'll see:
=====================================================
In the past we used the ValiCert Class 3 root to sign the RSA Public
I have confirmed that the recent WebTrust audit report covers the "RSA Public
Therefore, in this bug I will only propose that the "RSA Security 1024 V3" root
Might be just badly documented, not "unknown" Posted Apr 6, 2010 18:02 UTC (Tue) by dskoll (subscriber, #1630) [Link] I hope all the emails to and from RSA and Verisign reps are signed. Otherwise a nice DoS attack could be to call into doubt the validity of a root certificate...
Might be just badly documented, not "unknown" Posted Apr 6, 2010 18:43 UTC (Tue) by clump (subscriber, #27801) [Link]
I wondered about that too, though what's in question is the 1024 key not the 2048 key. The same submitter (Kathleen Wilson) calls the 1024 key unknown on April second.
Unknown root certificate in Firefox Posted Apr 6, 2010 22:00 UTC (Tue) by roc (subscriber, #30627) [Link]
The article quote is misleading. It's not as if no-one knows where the certificate came from. It came from RSA. The issue is that the certificate is essentially unmaintained and unused.
http://blog.mozilla.com/security/2010/04/06/removing-the-...
|
|
||||||||||||