Mozilla 1024-Bit Cert Deprecation Leaves 107,000 Sites Untrusted

msm1267 writes: Mozilla has deprecated 1024-bit RSA certificate authority certificates in Firefox 32 and Thunderbird. While there are pluses to the move such as a requirement for longer, stronger keys, at least 107,000 websites will no longer be trusted by Mozilla. Data from HD Moore's Project Sonar, which indexes more than 20 million websites, found 107,535 sites using a cert signed by what will soon be an untrusted CA certificate. Grouping those 107,000-plus sites by certificate expiration date, the results show that 76,185 certificates had expired as of Aug. 25; of the 65 million certificates in the total scan, 845,599 had expired but were still in use as of Aug. 25, Moore said.

Good

[Threni]

A browser not trusting something that's not to be trusted is a positive thing. Yes, some old sites will suffer. That's how it's supposed to work. They'd better up their game. People expect security to be take more seriously these days, as there is more at stake and more muppets with a lot of time on their hands trying to attack you.

Re:oh. so nobody's actively managing them?

[Charliemopps]

hackers, start your engines...

No ones every managing them. These things are like domain names... they cost pennies and last for years... so despite their importance they fall to the bottom of businesses radar. A place I worked at a few years ago let their multi-million dollar domain expire. The registrar had been sending emails to an employee that had no longer worked there for quite a while...

The end result? It went down on a Sunday, and one of our hourly tech support guys (Making about $10/hr at the time) figured out what happened and registered the domain on his personal credit card and redirected it because he didn't know who to call. He got dinner out with the president of the company who shook his hand, asked him politely if he'd mind transferring the domain back to the company, which he did.

That guy, years later, ended up being my boss and making six figures. It pays to be clever on occasion. He always joked that the company could have sued him for what he did to get the domain back anyway but he was impressed the president thanked him and asked for it back personally.

Re: oh. so nobody's actively managing them?

[corychristison]

Was the domain being used? Or just squatting on it?

If you were actively using it, and it expired, you have a grace period of anywhere from 30 days to 90 days depending on the TLD, when this happened and who the registrar was/is.

With that said, your point is completely valid. Domain names, SSL certificates, and hosting accounts tend to be forgotten. I own a web design/development/hosting company. We actively maintain records of who we need to be dealing with, as well as their managers in the event our contact stops responding. As well, we introduced a fully managed service in which we manage everything for our clients, and we send them a single monthly invoice. Because it is billed every month, their services continue to Just Workâ, and in turn we are keeping consistent contact with them.

We have had the most problems with non-profit organizations. They are typically volunteer run, with a high turn over rate.

Re:Exaggerated, somewhat hysterical decision

[Dahan]

Who cares how many "high end-PC years" it took? Nobody's going to try to factor a 1024-bit modulus using a single high-end PC. It took 4 actual years to factor 10 numbers. And why do you think someone who wants to factor the RSA modulus for a 1024-bit CA cert would have waited until today to start the process? Those certs have been around for over 10 years; if someone with enough computing power wanted to factor one, they could be done by now.