Mozilla + unknown root certificate authority in Firefox

The place for what's new and going on in the tech, innovation, and science world.

Mozilla + unknown root certificate authority in Firefox

Postby DaFoxx » Tue Apr 06, 2010 8:12 pm

In a startling revelation, the open-source Mozilla project says that its flagship Firefox browser contains a root certificate authority that doesn’t seem to have a known owner.

if this is a little above your tech radar, the down side iss that it could be that Firefox has been utilised as an attck vector since this CA was admitted

put another way

The lack of transparency in 2002 re: the source of added roots means we have no idea whether e.g. some malicious actor slipped an extra one into whatever list they were keeping internally to Netscape, and has been MITMing people ever since.

MitM = Man in the Middle

In cryptography, the man-in-the-middle attack (often abbreviated MITM), or bucket-brigade attack, or sometimes Janus attack, is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker. The attacker must be able to intercept all messages going between the two victims and inject new ones, which is straightforward in many circumstances (for example, an attacker within reception range of an unencrypted Wi-Fi wireless access point, can insert himself as a man-in-the-middle).

A man-in-the-middle attack can succeed only when the attacker can impersonate each endpoint to the satisfaction of the other. Most cryptographic protocols include some form of endpoint authentication specifically to prevent MITM attacks. For example, SSL authenticates the server using a mutually trusted certification authority.

wonder where this will end up :?
Beware of Geeks bearing GIF's :mrgreen:
User avatar
Posts: 8580
Joined: Sun Dec 25, 2005 1:20 am
Location: 3rd Rock from the Sun

Re: Mozilla + unknown root certificate authority in Firefox

Postby SirDice » Wed Apr 07, 2010 11:14 am

The root CA will be removed, you can remove it yourself too without any problems. RSA confirmed it was theirs and that they're not using it anymore.
Oliver's Law:
Experience is something you don't get until just after you need it.
User avatar
I've posted HOW many
Posts: 4201
Joined: Mon May 15, 2006 9:59 am
Location: Netherlands

Re: Mozilla + unknown root certificate authority in Firefox

Postby Aspman » Thu Apr 15, 2010 11:48 am

There was an article recently that there have been zero detected incidents caused by invalid, malicious certifications and that the certificate warnings you get are basically pointless theatre.

I think it was on Schneier a couple of months ago.

There are other simpler ways to get stuff, hacking certs is too much work, for now.
"Man will never be free until the last king is strangled with the entrails of the last priest."
- Denis Diderot (1713-1784)
User avatar
Frustrated Mad Scientist
Posts: 8871
Joined: Mon Jan 09, 2006 10:07 am
Location: Scotland

Return to Tech News Zone

Who is online

Users browsing this forum: No registered users and 21 guests