Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



Mozilla Allows Symantec to Issue SHA-1 Certificates to Payment Processor

Mozilla has decided to allow Symantec to issue nine new SSL certificates signed using the SHA-1 cryptographic hash function to payment processor Worldpay after the company failed to upgrade devices in time.

Mozilla has decided to allow Symantec to issue nine new SSL certificates signed using the SHA-1 cryptographic hash function to payment processor Worldpay after the company failed to upgrade devices in time.

Worldpay approached Mozilla and other web browser vendors through Symantec, its certificate authority (CA), claiming that it forgot to renew some SHA-1 server certificates before December 31, 2015, the last day on which such certificates could be issued.

Worldpay has started transitioning to SHA-2, but the process has not been completed for part of its infrastructure. Without the new SHA-1 certificates, the company estimates that more than 10,000 payment terminals across the world will stop working.

After an internal debate, Mozilla has decided to comply with the request if certain conditions are met. First of all, the certificates cannot be issued for other domains than the ones specifically requested by Symantec, and they must be submitted to certificate transparency logs.

Furthermore, the lifetime of the issued SHA-1 certificates must not exceed 90 days and they cannot be extended beyond December 31. Worldpay can request the certificates to be reissued, but it must do it at least two weeks in advance, and Mozilla might change its conditions or deem the certificates unacceptable.

“This authorization means that Symantec can issue SHA-1 certificates that will enable Worldpay’s devices to keep operating a while longer, and that issuance will not be regarded by Mozilla as a defect. This decision only affects the Mozilla root program; other root programs may still consider the issuance of these certificates to be a mis-issuance,” Richard Barnes, Firefox security lead at Mozilla, said in a blog post.

Not everyone is happy with the decision. Former Mozilla employee Brian Smith noted that through its decision, the company has “effectively reversed the economic incentives for CAs so that it is profitable to go against Mozilla’s initiatives to improve web security. And, in the course of doing so, Mozilla has damaged its own credibility and reduced leverage in enforcing its CA policies going forward.”

Advertisement. Scroll to continue reading.

It’s unclear if Apple, Microsoft and Google will accept Symantec’s certificates or if they will stand by their decision to ban SHA-1 certificates issued after January 1, 2016.

“We understand that there are payment processing organizations other than Worldpay that continue to have similar requirements for SHA-1 — either within the Web PKI or outside it. It is disappointing that these organizations are putting the public’s data at risk by using a weak, outdated security technology,” Barnes said.

As SHA-1 has become increasingly easy and cheap to attack, all major web browser developers have announced plans to gradually kill the cryptographic hash function until January 1, 2017, although some vendors could do it even sooner.

Firefox started rejecting new certificates signed with SHA-1 on January 1, 2016, but Mozilla released an update on January 6 after learning that security scanners, antivirus products and other “man-in-the-middle” devices could not access HTTPS websites due to this change.

Twitter, Facebook and CloudFlare hope to convince the industry to keep SHA-1 alive for a little while longer, arguing that many users who rely on older browsers that don’t support SHA-2 will be prevented from accessing websites.

Related: Google to Remove Symantec Root Certificate From Products

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...


Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...