Is Firefox shipping with a Rogue SSL CA?

This discussion came across my radar this morning via Hacker News.

Details are still being hashed out, but the fact remains that there is a Root CA shipping with Firefox that no one can account for. I recommend removing "RSA Security 1024 V3", but not "RSA Security 2048 V3" (which actually shows up on RSA's Audit Statement [PDF warning])

Hopefully, this is just one that's fallen into disuse over the last 8 years, and not a case where someone slipped a CA into the distribution and attempted to camouflage it by making it look similar to an existing CA.

Update from Kathleen Wilson (thanks to gregms):
I have received email from official representatives of RSA confirming
that RSA did indeed create the "RSA Security 1024 V3" root certificate
that is currently included in NSS (Netscape/Mozilla) and also in Apple's
root cert store.

blog comments powered by Disqus