SSL Mystery Theater

Some frightening chatter from the mozilla.dev.security.policy list. A root certificate that would appear to be owned by RSA has been included in the NSS root store for the better part of a decade, and expires in 2026. Unfortunately, RSA does not claim to own it, and its true origin is currently unknown.

“The lack of transparency in 2002 re: the source of added roots means we
have no idea whether e.g. some malicious actor slipped an extra one into
whatever list they were keeping internally to Netscape, and has been
MITMing people ever since.”

According to the thread, the same certificate is in the Apple root store, but not Microsoft’s. Another interesting bit of information comes from Florian Weimer, who states in the thread:

“For instance, the Equifax root isn’t controlled by Equifax anymore,
and there a couple of such examples.  There was a time when roots were
traded heavily.”

It had not occurred to me that roots (the chains of trust for the Internet) can be traded, bought, and sold. It is possible that the cert in question, named “RSA Security 1024 V3″ was originally created by RSA, but is now owned by someone else. Even if it is owned by a legitimate entity, this does not bode well for the concepts of transparency, identity, and trust.

If this story gets a following, and the integrity of EV comes back into question, I wonder what the big CA’s will say.

Post a comment or leave a trackback: Trackback URL.