Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mozilla 1024-Bit Cert Deprecation Leaves 107,000 Sites Untrusted

Posted by Soulskill on from the 2048-bits-ought-to-be-enough-for-anyone dept.

msm1267 writes: Mozilla has deprecated 1024-bit RSA certificate authority certificates in Firefox 32 and Thunderbird. While there are pluses to the move such as a requirement for longer, stronger keys, at least 107,000 websites will no longer be trusted by Mozilla. Data from HD Moore's Project Sonar, which indexes more than 20 million websites, found 107,535 sites using a cert signed by what will soon be an untrusted CA certificate. Grouping those 107,000-plus sites by certificate expiration date, the results show that 76,185 certificates had expired as of Aug. 25; of the 65 million certificates in the total scan, 845,599 had expired but were still in use as of Aug. 25, Moore said.

7 of 67 comments (clear)

  1. So 3/4 of them would have already failed? by jandrese · · Score: 4, Insightful

    It sounds from the writeup like most of the sites in question are defunct and that's why they're using out of date crypto. Few sites that people actually visit would appear to be affected.

    --

    I read the internet for the articles.
  2. FTFA by Bill,+Shooter+of+Bul · · Score: 4, Insightful

    “All major browsers will alert users of a site using an expired certificate, and of the 107k affected, only 30k were not expired, and so would no longer be trusted by Mozilla as a result of their recent change,”

    So not 107K, only 30k. And that's not a real issue. The browsers are correct, the connection isn't secure at 1024. People can complain as much as they want, trust is not something that is eternally granted without condition.

    --
    Well.. maybe. Or Maybe not. But Definitely not sort of.
    1. Re:FTFA by thegarbz · · Score: 3, Insightful

      trust is not something that is eternally granted without condition.

      The condition being to grease the palms of a third party?

  3. The way firefox manages this... by Skuld-Chan · · Score: 3, Insightful

    Firefox doesn't support the OS's built in certificate stores, which makes it a really big pain in the ass to manage certs yourself (like if your managing certs for firefox users at your company) - you basically have to compile certutil and write all kinds of fun scripts for client devices.

    If firefox let me co-manage certs I could just re-add the deprecated cert :).

  4. Math. by msauve · · Score: 3, Insightful

    "Grouping those 107,000-plus sites by certificate expiration date, the results show that 76,185 certificates had expired as of Aug. 25"

    So, the headline should really say 31,000, since 76,000 shouldn't be trusted regardless of what Mozilla does.

    --
    "National Security is the chief cause of national insecurity." - Celine's First Law
  5. Meh! by Anonymous Coward · · Score: 2, Insightful

    So basically the net effect will be another warning page to click through when visiting the sites in question? Do end users really know what any of this stuff really menas?

  6. Exaggerated, somewhat hysterical decision by Anonymous Coward · · Score: 2, Insightful

    RSA-1024 are still safe, despite what many fearmongers have been preaching for years. It was only a few days ago
    (http://www.newscientist.com/article/dn26135-factorisation-factory-smashes-numbercracking-record.html?cmpid=RSS|NSNS|2012-GLOBAL|online-
    news#.VAXRfDzYvyF) that a new factorization record was announced. It is a roughly 1,024-bit integer - but it took 2000 high end-PC years, and it is a Mersenne integer - orders of magnitude easier to factorize than an integer of similar size obtained as the product of two large primes, which is what one does in the RSA algorithm.

    Short of sudden, unexpected and dramatic breakthroughs in the fields of mathematical integer factorization, or quantum computing, RSA-1024 keys still have quite a few years of usefulness ahead.