Starting in Firefox 51, Mozilla’s web browser will display an error when a SHA-1 certificate is encountered that chains up to a root certificate included in Mozilla’s CA Certificate Program.
Designed over two decades ago, the SHA-1 algorithm has become an important Internet security standard used in HTTPS connections, but recent research has revealed that the cost of breaking the SHA-1 cryptographic hash function is lower than previously estimated.
As a result, many tech companies decided to sunset the algorithm, with Google first announcing such plans in Sept. 2014. Last year, the company revealed that it might start rejecting SHA-1 certificates this year, sooner than initially intended.
Although Mozilla announced similar plans last year, in January, after Firefox 43 began rejecting new SSL certificates that use the SHA-1 cryptographic hash function, they re-enabled the support after evaluating the impact on users. In February, the company allowed Symantec to issue nine new SHA-1-based SSL certificates to payment processor Worldpay.
Starting with Feb. 2017, the Microsoft Edge and Internet Explorer browsers will both start blocking SHA-1 signed TLS certificates, the tech giant announced several months ago.
Beginning Jan. 2017, Firefox 51 will show “an overridable “Untrusted Connection” error whenever a SHA-1 certificate is encountered that chains up to a root certificate included in Mozilla’s CA Certificate Program,” Mozilla says now. The company also notes that SHA-1 certificates that chain up to manually-imported root certificates will continue to be supported by default, so that enterprises could continue using SHA-1 certificates.
The issuance of SHA-1 certificates mostly halted for the public web in January this year, and new certificates have adopted more secure algorithms, the company says. Thus, the use of SHA-1 on the Internet dropped from 3.5% to 0.8%, Firefox Telemetry data shows.
Mozilla said that it would enable the deprecation of SHA-1 SSL certificates for some of its Firefox 51 Beta users (the beta phase will start November 7), “to evaluate the impact of the policy on real-world usage.” Once Firefox 51 arrives in Jan 2017, the company will disable support for SHA-1 certificates from publicly-trusted certificate authorities for a small subset of users, but will include more users afterwards, eventually completely disabling the algorithm.
More from Ionut Arghire
- Air Canada Says Employee Information Accessed in Cyberattack
- BIND Updates Patch Two High-Severity DoS Vulnerabilities
- Faster Patching Pace Validates CISA’s KEV Catalog Initiative
- TransUnion Denies Breach After Hacker Publishes Allegedly Stolen Data
- Legit Security Raises $40 Million in Series B Financing
- Atlassian Security Updates Patch High-Severity Vulnerabilities
- Critical Infrastructure Organizations Warned of Snatch Ransomware Attacks
- Tor-Based Drug Marketplace Piilopuoti Shut Down by Law Enforcement
Latest News
- Researchers Discover Attempt to Infect Leading Egyptian Opposition Politician With Predator Spyware
- In Other News: New Analysis of Snowden Files, Yubico Goes Public, Election Hacking
- China’s Offensive Cyber Operations in Africa Support Soft Power Efforts
- Air Canada Says Employee Information Accessed in Cyberattack
- BIND Updates Patch Two High-Severity DoS Vulnerabilities
- Faster Patching Pace Validates CISA’s KEV Catalog Initiative
- SANS Survey Shows Drop in 2023 ICS/OT Security Budgets
- Apple Patches 3 Zero-Days Likely Exploited by Spyware Vendor to Hack iPhones
