¶ºÒõ¹Ý

Announcements 09-24-2014

Mozilla to Add SHA-1 Security Warnings

¶ºÒõ¹Ý

Yesterday that they too will discontinue trust in sites secured with SHA-1 certificates and will be adding a warning to both the Firefox Web Console and browser starting next year.

In their blog post, Mozilla explained the security situation with SHA-1 and stated that they agreed with Microsoft and Google that SHA-1 certificates should not be issued after January 1, 2016 or trusted after January 1, 2017.

SHA-1 is nearly twenty years old, and is beginning to show its age. In the last few years, collision attacks undermining some properties of SHA-1 have been getting close to being practical. Collision attacks against the older MD5 hash algorithm have been used to obtain fraudulent certificates, so the improving feasibility of collision attacks against SHA-1 is concerning. In order to avoid the need for a rapid transition should a critical attack against SHA-1 be discovered, we are proactively phasing out SHA-1. - Mozilla Security Blog

Mozilla will add a security warning to the Web Console to remind developers that they should not be using SHA-1 certificates. This warning will be more prominent if the SHA-1 certificate expires after January 1, 2017. These warnings will appear in the released versions of Firefox in early 2015.

Mozilla also plans to add warnings to the Firefox browser in the future. In 2016, Firefox will begin to show an "Untrusted Connection" error when a newly issued SHA-1 certificate is encountered and in 2017 Firefox will show an "Untrusted Connection" error whenever a SHA-1 certificate is encountered.

This trust deprecation timeline matches what Microsoft announced previously in 2013. Since ¶ºÒõ¹Ý has been preparing for this timeline for the last year, most ¶ºÒõ¹Ý customers should be unaffected by the future Firefox browser warnings. SHA-2 has been the default for all certificates purchased from ¶ºÒõ¹Ý since 2013. However, companies should be aware of and use the ¶ºÒõ¹Ý SHA-1 Sunset Tool to check for and replace any SHA-1 certificates in their environment.

UP NEXT
PKI

3 Surprising Uses of PKI in Big Companies and How to Ensure They Are all Secure

5 Min

Featured Stories

12-04-2024

How artificial intelligence is reshaping digital trust

12-18-2024

Announcing the new open-source DCV library from ¶ºÒõ¹Ý

How to spot a fraudulent website