Mozilla removes orphaned root certificate authority bug

News by Dan Raywood

A bug has been filed with Mozilla with claims that the Firefox web browser contains a root certificate authority that does not seem to have a known owner.

A bug has been filed with Mozilla with claims that the Firefox web browser contains a root certificate authority that does not seem to have a known owner.

Posted on a Mozilla development security policy Google group, a user proposed that the ‘RSA Security 1024 V3' root certificate authority be removed from NSS, as they had not been able to find the current owner of this root.

The poster named Kathleen Wilson said that both RSA and VeriSign have stated in email that they do not own this root, and to her knowledge this root has no current owner and no current audit, and should be removed from NSS.

This bug now has an ‘assigned' status and is approved and awaiting NSS approval. In a blog update from Johnathan Nightingale, director of Firefox development, he confirmed that it was removing the ‘RSA Security 1024 V3' root from that list as its owners have confirmed that it is not in use, and not covered by current audits.

He said: “We regularly check for roots whose audits have lapsed or for whom we don't have an up-to-date point of contact – it is part of keeping our root program healthy.

“The confusion stems from a comment made in the newsgroup threads discussing the removal which suggested that the root didn't have a current owner. We know where the root came from; it was added at RSA's request several years ago and vetted according to our inclusion guidelines.

“When we contacted RSA to confirm current contact and audit information for it, though, we didn't get a clear answer as to whether or not it was in use, covered by recent audits, or decommissioned. We expect every root in our program to have a clear and active owner and, failing to get that clarity from RSA, we moved to pull this root from the product.”

Richard Kirk, European director at Fortify, claimed that this highlights the fact that open source software must be tested for security vulnerabilities - and fixed - before it is used in any business.

He said: “In all software development, there is a trade-off between convenience and taking appropriate security measures, but it's situations like the one with Firefox that highlight the fact that open source software has - generally speaking - more issues than commercially-developed applications.

“Having said that, there are tremendous cost savings, as well as the widespread availability of plug-ins that open source software brings to the better business table. This means that, with good security testing in place, a major company can still use open source and save money at the same time.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming event 

Webcast: Understanding this year's biggest adversaries - and how to combat them 

Nation-state activity, versatile, slippery strategies and Big Game Hunting - the threats are real, dangerous and ever changing. 
Brought to you in partnership with Crowdstrike