LWN: Comments on "Unknown root certificate in Firefox"

Unknown root certificate in Firefox

roc — Tue, 06 Apr 2010 22:00:56 +0000

The article quote is misleading. It's not as if no-one knows where the certificate came from. It came from RSA. The issue is that the certificate is essentially unmaintained and unused.

http://blog.mozilla.com/security/2010/04/06/removing-the-...

Might be just badly documented, not "unknown"

clump — Tue, 06 Apr 2010 18:43:51 +0000

I wondered about that too, though what's in question is the 1024 key not the 2048 key. The same submitter (Kathleen Wilson) calls the 1024 key unknown on April second.

Might be just badly documented, not "unknown"

dskoll — Tue, 06 Apr 2010 18:02:39 +0000

I hope all the emails to and from RSA and Verisign reps are signed. Otherwise a nice DoS attack could be to call into doubt the validity of a root certificate...

Might be just badly documented, not "unknown"

dwheeler — Tue, 06 Apr 2010 16:48:36 +0000

It may be that at least one is just badly documented, not "unknown".

If you look here:
https://bugzilla.mozilla.org/show_bug.cgi?id=549701

You'll see:

=====================================================
I received the following in email from an RSA representative:
--
The ValiCert Class 3 root is still actively in use for certificate
validation and cannot be disabled at this time.

In the past we used the ValiCert Class 3 root to sign the RSA Public
Root CA cert that is covered under our WebTrust audit and is used for
the actual issuance of customer CA certs under our RSA Root Signing
Service. No new CA signings are being performed under the ValiCert
Class 3 root hierarchy, but there are customers that still have active
certificates chaining to the ValiCert Class 3 root.
...
I would recommend a target date of no earlier than 1/1/2012 for disabling the
ValiCert Class 3 root.
--

I have confirmed that the recent WebTrust audit report covers the "RSA Public
Root CA V1" and "RSA Security 2048 V3" root certificates.
https://cert.webtrust.org/SealFile?seal=981&file=pdf

Therefore, in this bug I will only propose that the "RSA Security 1024 V3" root
certificate be removed from NSS.

Unknown root certificate in Firefox

Kit — Tue, 06 Apr 2010 16:37:56 +0000

A project that records the certificates held by different websites would be fairly useful. It could be used in situations like this to see who even uses this cert (as well as the other certs in NSS's database).

It could also be used by a browser plugin to help detect man in the middle attacks by rogue CAs (some heuristics could help prevent false positives, such as a changing cert when the prior one was about to expire is less warning-tastic). The browser plugin could help distribute the 'load' of scanning all those https sites, by (optionally) reporting back the certs it sees and the time stamps- which would be a useful thing to do for those that think, say, that the recently added Chinese CA will use it for malicious purposes to capture and record if they actually are.

Unknown root certificate in Firefox

Simon80 — Tue, 06 Apr 2010 16:35:27 +0000

If the fear is of someone using this root certificate to enable a man-in-the-middle attack, it's possible to configure the Perspectives extension to watch out for that sort of attack (assuming it works as advertised).

I think that Mozilla should consider adding similar functionality to core Firefox, because most of the users that stand to benefit from more thorough SSL cert verification aren't necessarily aware that there's a problem.

Unknown root certificate in Firefox

Trelane — Tue, 06 Apr 2010 16:05:01 +0000

The bug for this: https://bugzilla.mozilla.org/show_bug.cgi?id=549701
The commit bug, apparently: https://bugzilla.mozilla.org/show_bug.cgi?id=139874

Unknown root certificate in Firefox

bboissin — Tue, 06 Apr 2010 14:59:33 +0000

Is there a project to actively scan https website and record who is signed
by who? It would be very interesting to know if any website was signed by
this cert.

Disable it....

rfunk — Tue, 06 Apr 2010 14:55:30 +0000

Edit -> Preferences -> Advanced -> Encryption -> View Certificates
Scroll down to "RSA Security Inc", click on "RSA Security 1024 v3".
Edit. Uncheck the three checkboxes and hit OK.