back to article RSA says it fathered orphan credential in Firefox, Mac OS

Digital certificate authority RSA Security on Tuesday acknowledged it issued a root authentication credential shipped in in the Mac operating system and Mozilla web browsers and email programs, ending four days of confusion about who controlled the ultra-sensitive document. The "RSA Security 1024 V3" certificate is a master …

COMMENTS

This topic is closed for new posts.
  1. dr2chase

    More questions...

    What about "RSA Security 2048 V3", same expiration date?

    Presumably people have already tried disabling this certificate -- any bad effects yet?

    (I disabled mine about a minute ago).

    1. Anonymous Coward
      Anonymous Coward

      Re: More questions..

      > What about "RSA Security 2048 V3", same expiration date?

      It's mentioned in https://bugzilla.mozilla.org/show_bug.cgi?id=549701

      Take a look and make your own judgement.

  2. Anonymous Coward
    FAIL

    RSA? dont u mean PRC RULZ u ALLZ

    this is serious lvl of OWNAGE!!!

    ALL UR KEY BELONG TO PRC

    wonder if M$ is also, oh hang on they didnt need to bother, its soo full of holez it would be a wast of thier LEET tallent to waste more time on them.

    EPIC!!!

    1. Anonymous Coward
      Headmaster

      What?

      I can't even determine what language you are writing in, let alone what it says.

      1. Anonymous Coward
        Anonymous Coward

        @AC 0831

        I believe the post you can't read is written by an "Elite Hacksaw" using his own propriatary dialect.

    2. Anonymous Coward
      WTF?

      Excuse me?

      "IS THERE A GROWN-UP ABOUT OR SOMEONE WHO LOOKS AFTER YOU? WE NEED TO KNOW IF YOU"RE ALRIGHT OR HAVING SOME SORT OF SEIZURE?"

  3. John Sanders
    Paris Hilton

    Big brother....

    Is signing my certificate.

  4. Ron Murray

    Don't panic

    The (current) last entry in the Bugzilla page (https://bugzilla.mozilla.org/show_bug.cgi?id=549701) indicates that RSA have decided they own this one after all.

    Phew. Wish they'd make up their minds.

  5. Chris Lewis
    Happy

    Breaking: it's valid

    The latest news, according to this mozilla.dev news group thread, is that the certificate is valid:

    http://tinyurl.com/ssl-cert-ok

    Phew...

  6. Anonymous Coward
    WTF?

    oh! sure!

    surely i hope this is not the reason for my fucked up bank-account

    who will ever be ABLE to testify 100% this could not have been a case of brilliant mitm attack ?

    what proof can i have the last post of 'Kathleen Wilson' over at http://groups.google.com/group/mozilla.dev.security.policy/browse_thread/thread/b6493a285ba79998/26fca75f9aeff1dc does actually confirm this is a certificate issued by RSA

    Who says she's the real Kathleen Wilson, why is this only now a topic ?

    what IS going on ?

    Dammit.

  7. Anonymous Coward
    Anonymous Coward

    Potential use?

    If I understand it correctly, this certificate can't be used to cause a problem for legitimate sites, since they would know the CA that they're using. the problem is that some unknown organisation is able to issue certificates validated by this credential. Not sure how big a problem that is, though, since they are still valid (ie they are issued by the CA they refer to). I'm sure something could be made of it, but it makes my brain hurt trying to work it out.

    Anyway, if they can't track down the source then they (mozilla etc) should fix it asap, since trust in certificates and CAs is fundamental, and it has been undermined.

    1. No, I will not fix your computer

      ......problem

      How this could be (ab)used (a different example);

      1. Create a self signed CA

      2. Create a cert signed by the above CA for your favourite bank/paypal/ebay etc.

      3. Create an evil server on 'tinternet that looks like your favourite bank/paypal/ebay etc.

      4. Place the CA signed certifcate on the server

      Currently this isn't very effective as nothing points to your server, so go to the local cyber cafe and either hack the hosts file or DNS to point your favourite bank/paypal/ebay etc. to your evil server, again this isn't very effective as you'll get the cerificate warning, so import the CA certifcate into cyber cafe PC and no warning, the set name checks out and if your evil server is just (non transparrent) proxying the request back to your favourite bank/paypal/ebay etc. it even works (except your evil server has access to everything you type).

      This is why (in addition to keyloggers) you should never use an unknown PC for secure transactions, what's worse about an "unknown" CA certificate (and the importance of never being able to break RSA keys) is that a bad CA cert compromises every single website.

      1. Anonymous Coward
        Thumb Up

        Re : ...... problem

        Good explanation - I actually understood it. It emphasises the point that we place a lot of trust in the root certificates, such that any subversion of them can give a lot of power to the ne'er-do-well. So why are mozilla/RSA/both so sloppy about tracking their status as in this case?

  8. Mike Flex

    Oops, nothing to see here, move along folks.

    RSA now seem to have remembered that this is their certificate after all:

    https://bugzilla.mozilla.org/show_bug.cgi?id=549701#c5

    So a raspberry to RSA for not keeping better track of their certificates

    and another one to Mozilla for not retaining an audit trail for the

    certificates embedded in their products.

  9. ElReg!comments!Pierre

    How many certificate do we need?

    Well, we certainly do not need any by default. I understand that the practice is for software vendors to accept hundred if not thousands of CA certificate by default to make things easy-peasy for the tech-illiterate crowd, but that rather defeats the very purpose of such certificates. I for one refuse everything by default and add the certificates manually as needed (and that of course include those for my own CAs, most of which are not validated by Verisign or any crook of the ilk).

    1. Anonymous Coward
      Thumb Down

      um

      "I understand that the practice is for software vendors to accept hundred if not thousands of CA certificate by default to make things easy-peasy for the tech-illiterate crowd"

      That statement has no apparent basis in fact. I can't think of any software which "accepts" hundreds of CAs, never mind thousands. Can you share an example?

      1. Brett Brennan 1

        Chain of Trust

        Pierre is correct, broadly, in the assertion that vendors add a large number of CA certificates automatically to their products for the purpose of providing a "Chain of Trust" to lower level certificates registered against the CA. This is how Mark Shuttleworth made is millions: by establishing a "MLM" certification chain.

        The point Pierre is making is that there are a large number of Certification Authorities listed...because there are a lot of different companies that register their private certificates with all sorts of different authorities. In order to prevent "preferential" treatment of some sites over others, every major corporate certification root is included with most browsers, OS, etc. as a matter of course.

        In reality, what Pierre suggest is the better course of action: remove ALL authorities from your certificate store, and only add them back in as you need them to authenticate web sites or other data sources that require a chain of authentication.

        Of course, this assumes that you know what you're doing...which, as Pierre points out, most Netizens have no clue about.

        1. ElReg!comments!Pierre

          Thank you Brett

          Thank you for this dash of sanity! I admit that «thousands» of certificates was an exaggeration but you got my point. A CA certificate should be a trust pact between the end user and the CA; though I trust most of my software vendors to develop good software, I don't really trust them to «sign» these «trust pacts» in my place and select my points of entry in the famed «web of trust» (bleuargh).

          Just look at the default list of certificate in Firefox: maybe not thousands, but most definitely over a hundred CA certificates (there are almost 20 just for Verisign!), most of which none of my users will come across, ever. That's as many potential security breaches.

          1. Anonymous Coward
            WTF?

            No.

            @Pierre:

            Yes, so every internet banking web site on the internet will throw up an error when a clueless netizen visits the site, whether the chain of trust is secure or not. I'm sure that wont cause any problems.

            Don't be stupid. The average web user has no idea to evaluate this sort of thing, it's best left to somebody with technical knowledge and understanding. Like, maybe the browser developer.

  10. Ivan Voras
    FAIL

    CAs are a scam anyway

    It's nothing new - many have observed that the current situation where there are a dozen CAs who do at best the bare minimum of checks of their certificate applicants and where the users are so confused over whether to trust certificates or not (in the light of self-signed certificates, etc), the whole CA idea has become broken.

    It's centered on dozens of "blessed as infallible" certificate issuers - and there can be no formulaic guarantees that people wielding such high-level "trust supply" are not prone to errors. Adding to this is the issue of "green address bar" vs "yellow address bar" certificates and the whole thing degenerates into a money extracting operation without proper services being provided.

    1. Frumious Bandersnatch
      Joke

      "blessed as infallibible" (sic)

      Could be a lucrative sector for the Vatican to get involved in... "our certs are infalllibible!"

  11. Pablo
    Headmaster

    Hey!

    Please do not refer to Usenet as "Google Groups".

    1. TeeCee Gold badge
      Alert

      Re: Hey!

      Try telling Google, who've plastered "Google groups" all over the linked thread.

      I guess that someone must have taken their dibs off Usenet briefly so it belongs to Google now.

  12. Anonymous Coward
    Black Helicopters

    I smell a rat!

    <paranoia>

    Is it not convenient that RSA "remembered" that they had issued the root cert and came forward at the last moment to claim fatherhood... what if this was spoof... what if they had been put up to cover it? Perhaps it is really someone else's? ...

    Doesn't anyone remember the discovery of the _NSAKEY in Windows??

    http://en.wikipedia.org/wiki/NSAKEY

    </paranoia>

    1. Tom Chiverton 1 Silver badge

      Easy to refute

      Easy enough to prove, they just have to sign something with it...

  13. Anonymous Coward
    Megaphone

    RSA ?

    Convenient ?

    What about RSA security appliances relying solely on ActiveX ( hence IE only ) to operate using a web interface which is actually sporting a certificate ( RSA 1024 v3 by chance ? huh ? ) which is actually determined " to contain errors " by ... of all browsers ... Internet Explorer

    < paranoia >

    This con RIEKS of something ending in spiracy.

    Does it not ?

    </paranoia>

    Or simply business over safety ? cross-platform availability ?

    Need - I - go - on ?

  14. amanfromMars 1 Silver badge
    Grenade

    All your secrets belong to ...

    .....well, that is one of those Need to Know Compartmentalised Unknowns, Known to a Choosy Few, MeThinks :-)

    ""Either an unknown attacker somewhere in the world has had unlimited access to SSL traffic for an unknown amount of time, or the people who we have entrusted with this critical piece of web infrastructure can't even keep track of their own certificates.""

    What do you imagine are the odds against it being an unknown lone attacker/hacker/code cracker, which would raise the distinct probability of continued unlimited world access being currently available and most likely more stealthily used for it to remain as an active unknown remote facility?

  15. Anonymous Coward
    Anonymous Coward

    Makes you think? If only.

    This merely highlights a problem that should have been blindingly obvious to everyone right at the start. Who do we trust, and what does it mean when we say we trust someone?

    In SSL parlance, ``being trustworthy'' translates to ``paid some organisation a sack of dosh for a certificate'' for most, and ``were around to get their certificate included in key certificate stores'' for the happy few.

    Not quite a ponzi scheme, but not something most of us would ordinarily recognise as ``trust''. And yet, it's the prevalent way of ensuring anything on the internet. How come?

    I could answer that, but the message would get rejected by moderator for being black hole class cynisism. So supply your own, or badger el reg to put its experts from the intarwebt00bz desk on it.

  16. Peter Simpson 1
    Thumb Up

    From Google Group - it's RSA's

    A recent posting on Google Groups indicates the cert was created by RSA:

    <quote>

    I have received email from official representatives of RSA confirming that RSA did indeed create the "RSA Security 1024 V3" root certificate that is currently included in NSS (Netscape/Mozilla) and also in Apple's root cert store.

    Kathleen Wilson

    </quote>

This topic is closed for new posts.