CrySP Speaker Series on Privacy

This speaker series is made possible by an anonymous charitable donation in memory of cypherpunks and privacy advocates Len Sassaman, Hugh Daniel, Hal Finney, and Caspar Bowden.

View the list of past and upcoming speakers

CVE-2022-23491, or Why PO boxes can't be root certificate authorities anymore

Joel Reardon, University of Calgary

[Download (MP4)] [View on Youtube]

June 2, 2023 2:00pm, in DC 3317 and Zoom


Mozilla curates a set of root certificate authorities to validate hostnames for TLS in the Firefox browser. Many other software projects, such as Tor Browser and ca-certificates simply follow Mozilla's list; other entities, such as Apple and Microsoft, make their own decisions for inclusion with considerations for Mozilla's decisions and the associated public discussion.

In March 2023, Mozilla introduced a set of new considerations when deciding on inclusions and removals to their authorities list. Among these are being closely tied through ownership or operation to a spyware operation, having as its address a P.O. box or being a shell corporation, being audited by an auditor that does not audit any other certificate authorities, and not being transparent on matters such as legal domicile and control.

In this talk, we'll discuss our research into a root certificate authority and the associated disclosure that lead to Mozilla distrusting it and Github assigning CVE-2022-23491. This was despite no evidence of any mis-issued certificates or wrongdoing tied to its certificate authority operations. This removal was soon after followed by Mozilla producing their new set of root inclusion considerations, some of which are directly relevant to our disclosure.


Joel Reardon is an associate professor at the University of Calgary who researches mobile security and privacy issues and data collection done through those devices. He received his Bachelors and Master's at the University of Waterloo and his Doctor of Sciences at the ETH Zurich. His research has been covered by the CBC, the BBC, the Washington Post, and the Wall Street Journal, among other places. His research has received the Emilio Aced Research and Personal Data Protection Award, the CNIL - Inria Data Protection Award, and the Caspar Bowden Award for Outstanding Research in Privacy Enhancing Technologies. He likes bicycling and snowboarding.