Mozilla Warns of Unknown Root Certificate Authority in Firefox

In a startling revelation, the open-source Mozilla project says that its flagship Firefox browser contains a root certificate authority that doesn’t seem to have a known owner.
It’s quite possible that this could be a legitimate root certificate that changed hands during a merger or some other transaction but the fact that Mozilla’s folks can’t seem to figure out the owner is disconcerting on many levels.

In a startling revelation, the open-source Mozilla project says that its flagship Firefox browser contains a root certificate authority that doesn’t seem to have a known owner.


It’s quite possible that this could be a legitimate root certificate that changed hands during a merger or some other transaction but the fact that Mozilla’s folks can’t seem to figure out the owner is disconcerting on many levels.


Here’s the disclosure by Kathleen Wilson, who serves as a peer for the “CA certificates module” within the Mozilla project:


“…I have not been able to find the current owner of this root. Both RSA and VeriSign have stated in email that they do not own this root.


Therefore, to my knowledge this root has no current owner and no current audit, and should be removed from NSS.”


A separate bug report identifies the root certificate authority as “RSA Security 1024 V3.”


Interestingly, that root certificate authority is shown as valid in Apple’s System Roots but not in Microsoft’s.


The risk of a root certificate authority without a valid owner can lead to all kinds of trust security issues on the fast-growing browser platform.


Mozilla’s own Gervase Markham is worried about the implications:


That’s rather worrying. Do we know for certain that one or other created it originally? Do we know if it’s in any other root stores other than our own?


The lack of transparency in 2002 re: the source of added roots means we have no idea whether e.g. some malicious actor slipped an extra one into whatever list they were keeping internally to Netscape, and has been MITMing people ever since.


UPDATE: Mozilla now says it has received official word from RSA that they do in fact own the root CA in question.  Miscommunication drama.

Suggested articles

Discussion

  • Anonymous on

    How did EMC / RSA deny this and then go "oops" at everyone?

  • Anonymous on

    You should post the Update comment at the top of this article to avoid alarming people needlessly.

  • Anonymous on

    I agree with the previous post, you definitely should have posted the update first rather than dramatize the article title needlessly and waste our time.

  • Anonymous on

    What version(s) of Firefox has/have this invalid root certificate? I have an older version.
  • Anonymous on

    Right!  This from the people who are holding cacert.org up.  Honestly, Mozilla's losing it.

  • Anonymous on

    I have been getting blocked unauthorized instrusive updates to Mozilla, and was able to temporarily stop them by blocking SSL. I have also found SONY and Adobe data in the intrusions even though they are specifically blocked by the browser. Maybe this is why, but I will not trust many machines until I replace their BIOS and other kinds of firmware such as FPGAs, GPUs, etc with either original versions or in any case, anything in the way of software that does not show the source code. I would also like to see the source code of Mozilla to determine why I can't block Adobe plug-ins, and will be using gnash, xpdf, and other well examined source alternatives until I can determine the source of associated spyware, MITMs, and other anomalies. A big question is why doesn't Mozilla include DOM and supercookies in its cookies settings, in general. It seems to me that scripts can run in supercookie and DOM space, and have been doing so earnestly in the past 6 months at least. These often behave like the remote desktop function of one of SONY's rootkits, except now even in Linux, which has Mozilla in common with "MegaVirus(TM) SlowDoze(TM)". I can not accept responsibility for any illegal thru-traffic captured, which the settings said were "blocked", nor any open ports that I had closed.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.