Security Experts:

Connect with us

Hi, what are you looking for?


Network Security

Mozilla Re-Enables Support for SHA-1 in Firefox

Starting on January 1, 2016, Firefox 43 began rejecting new SSL certificates that use the SHA-1 cryptographic hash function, but the latest version of the browser (43.0.4) no longer does that.

Starting on January 1, 2016, Firefox 43 began rejecting new SSL certificates that use the SHA-1 cryptographic hash function, but the latest version of the browser (43.0.4) no longer does that.

Following reports that the cost of collision attacks against SHA-1, one of the main threats against the digest algorithm, has dropped significantly, Mozilla even announced that it would completely reject such certificates starting July 2016, yet it appears that the company has had a change of heart. The company has re-enabled support for SHA-1 in the latest Firefox release, while re-evaluating impact on users.

The initial plan for deprecating SHA-1 was to warn users when they accessed a page that used a new certificate signed with the weaker algorithm. The idea behind this move was to determine site owners to migrate to certificates using the more secure SHA-2 function, while also providing them with enough time to do so, as the intended rejection date for SHA-1 certs was initially set to January 1, 2017.

Since there are not that many new SHA-1 certificates in use, the change should have been smooth and largely unnoticed. However, Mozilla’s Richard Barnes notes in a recent blog post that users behind “man-in-the-middle” devices such as security scanners and anti-virus products have lost access to HTTPS sites on January 1, 2016, when Firefox started rejecting new SHA-1 certs.

“When a user tries to connect to an HTTPS site, the man-in-the-middle device sends Firefox a new SHA-1 certificate instead of the server’s real certificate. Since Firefox rejects new SHA-1 certificates, it can’t connect to the server,” Barnes explains.

Affected users would not be able to load HTTPS pages in Firefox and, when accessing the “Advanced” option in the browser, they would see the error code “SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED.” Those who experience this issue are advised to install the latest version of Firefox, which no longer blocks pages that rely on new SHA-1 certificates.

Given that Firefox updates are delivered over HTTPS, users behind such man-in-the-middle devices should manually download and update the new Firefox version, using a different browser. Another option is to head to about:config and change the value of “security.pki.sha1_enforcement_level” to 0 (which will accept all SHA-1 certificates).

Barnes also notes that users should ensure that their security application or anti-virus software is updated and that some vendors might have also removed the use of certificates signed with the SHA-1 algorithm in the recent versions of their products.

The situation where users lose access to HTTPS sites is what Facebook and CloudFlare warned about in early December, when they prompted the industry to delay the sunset of SHA-1. At the time, the two companies warned that millions of users would lose access to websites still relying on this algorithm, and that the SHA-2 support is still limited.

Users with older, legacy devices were said to be affected the most, especially those in emerging markets or in geographies representing the poorest, most repressive, and most war torn countries in the world. Just before Christmas, Twitter said it was backing the proposal for delaying SHA-1’s sunset, also saying that many of its users would lose access to its service and other HTTPS websites.

Although the latest version of Firefox re-enables support for SHA-1 certificates, Mozilla says it is still committed to completely removing SHA-1 support from Firefox. In the meantime, it will focus on learning more on the number of users affected by the move, while also urging vendors of TLS man-in-the-middle systems to update their products to use newer digest algorithms.

In late December, Google announced intentions to remove support for SHA-1 from Chrome earlier than initially planned, on July 1, 2016, when the browser would accept only certs signed with the SHA-2 or SHA-3 algorithms. As of January 1, 2016, Chrome version 48 displays a certificate error if it encounters a site with a leaf certificate that is signed with a SHA-1-based signature and which has been issued on or after that date.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Our networks have become atomized which, for starters, means they’re highly dispersed. Not just in terms of the infrastructure – legacy, on-premises, hybrid, multi-cloud,...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...