Second Root Cert-Private Key Pair Found On Dell Computer

msm1267 writes: A second root certificate and private key, similar to eDellRoot [mentioned here yesterday], along with an expired Atheros Authenticode cert and private key used to sign Bluetooth drivers has been found on a Dell Inspiron laptop. The impact of these two certs is limited compared to the original eDellRoot cert. The related eDellRoot cert is also self-signed but has a different fingerprint than the first one. It has been found only on two dozen machines according to the results of a scan conducted by researchers at Duo Security. Dell, meanwhile, late on Monday said that it was going to remove the eDellroot certificate from all Dell systems moving forward, and for existing affected customers, it has provided permanent removal instructions (.DOCX download), and starting today will push a software update that checks for the eDellroot cert and removes it. The second certificate / key pair was found by researchers at Duo Security.

Re:Using Firefox Meantime

[DarkOx]

You need to wait for the holiday to delete a certificate out of your trusted roots on your personal machine? Wow.

Secondly Firefox did not protect you from anything, the fact they don't share the system cert store did. Yeah it worked out this time to your favor but I honestly don't think Mozilla's failure to integrate with system certificate stores is a win in general. Its actually one of the biggest reasons I think about leaving my beloved SeaMonkey for something else.

For one thing you now have not one but 2 certificate stores you need to audit. That sucks! If a CA says they have been compromised I have to remember to fix it in 2 place instead of one. That isn't a security win. Many users don't probably even realize they don't use the system trusts, so if they get instructions to fix an issue by removing a CA they will likely fail to fix the Mozilla based browser.

Second in managed environments revoking a trust in Mozilla isn't easy to script out, that means Firefox and SeaMonkey installs likely just don't get fixed, again not a security win.

Frankly I think its rather a shame Mozilla does not provide at least the option to use the system trusteded roots.