Following reports that the cost of breaking the SHA1 Internet security standard is lower than previously estimated, Mozilla is considering rejecting SHA1-based certificates half a year earlier than initially planned.
Researchers have been finding weaknesses in SHA1 since 2005 and the industry generally agrees that it’s time to move away from the outdated algorithm. Since migrating to a more secure alternative too quickly could break the Internet, major web browser vendors such as Microsoft, Google and Mozilla announced plans to kill SHA1 by January 1, 2017.
In a blog post published on Tuesday, Mozilla said it has already added a security warning to the Web console in Firefox 38 to remind developers that they should not use certificates with signature algorithms that rely on SHA1 or weaker hash functions.
Starting with Firefox 43, scheduled for release in December 2015, the web browser will display an “Untrusted Connection” error when an SHA1 certificate issued after January 1, 2016 is detected.
“This includes the web server certificate as well as any intermediate certificates that it chains up to. Root certificates are trusted by virtue of their inclusion in Firefox, so it does not matter how they are signed,” Richard Barnes, who leads Mozilla’s security engineering team, explained in a blog post. “However, it does matter what hash algorithm is used in the intermediate signatures, so the rules about phasing out SHA-1 certificates applies to both the web server certificate and the intermediate certificates that sign it.”
The current plan is to start rejecting all SHA1 SSL certificates on January 1, 2017. However, since researchers recently demonstrated that breaking the cryptographic hash function is far less costly than initially believed, Mozilla says it’s considering the feasibility of completely killing SHA1 as early as July 1, 2016.
In 2012, cryptography experts estimated that a practical collision attack against SHA1 would cost $700,000 by 2015 and roughly $173,000 by 2018. However, an attack method discovered by researchers from France, the Netherlands and Singapore, dubbed a “freestart collision,” which leverages the power of GPUs, lowers the cost of breaking SHA1 to $75,000 – $120,000 worth of computing power from Amazon’s EC2 cloud.
The OpenSSL bug dubbed “Heartbleed,” whose existence came to light in April 2014, resulted in roughly half a million certificates being potentially compromised. Since companies rushed to revoke and reissue many certificates, SHA2 overtook SHA1 by May 2015.
However, according to the latest SSL survey from Netcraft, there are still nearly one million SSL certificates signed with the SHA1 hashing algorithm.
“Despite being regarded as weak or insecure by one of the most commonly used browsers, over 120,000 of the SHA-1 certificates currently in use on the web were issued during 2015, and 3,900 of these have expiry dates beyond the start of 2017,” Netcraft’s Paul Mutton wrote in a blog post. “The owners of these certificates will undoubtedly need to replace them months — or in some cases, years — before they are due to expire.”