Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mozilla 1024-Bit Cert Deprecation Leaves 107,000 Sites Untrusted

Posted by Soulskill on from the 2048-bits-ought-to-be-enough-for-anyone dept.

msm1267 writes: Mozilla has deprecated 1024-bit RSA certificate authority certificates in Firefox 32 and Thunderbird. While there are pluses to the move such as a requirement for longer, stronger keys, at least 107,000 websites will no longer be trusted by Mozilla. Data from HD Moore's Project Sonar, which indexes more than 20 million websites, found 107,535 sites using a cert signed by what will soon be an untrusted CA certificate. Grouping those 107,000-plus sites by certificate expiration date, the results show that 76,185 certificates had expired as of Aug. 25; of the 65 million certificates in the total scan, 845,599 had expired but were still in use as of Aug. 25, Moore said.

49 of 67 comments (clear)

  1. I'm so relieved by NotInHere · · Score: 4, Funny

    that slashdot wasn't affected by this.

  2. So 3/4 of them would have already failed? by jandrese · · Score: 4, Insightful

    It sounds from the writeup like most of the sites in question are defunct and that's why they're using out of date crypto. Few sites that people actually visit would appear to be affected.

    --

    I read the internet for the articles.
  3. oh. so nobody's actively managing them? by swschrad · · Score: 1

    hackers, start your engines...

    --
    if this is supposed to be a new economy, how come they still want my old fashioned money?
    1. Re:oh. so nobody's actively managing them? by Charliemopps · · Score: 4, Interesting

      hackers, start your engines...

      No ones every managing them. These things are like domain names... they cost pennies and last for years... so despite their importance they fall to the bottom of businesses radar. A place I worked at a few years ago let their multi-million dollar domain expire. The registrar had been sending emails to an employee that had no longer worked there for quite a while...

      The end result? It went down on a Sunday, and one of our hourly tech support guys (Making about $10/hr at the time) figured out what happened and registered the domain on his personal credit card and redirected it because he didn't know who to call. He got dinner out with the president of the company who shook his hand, asked him politely if he'd mind transferring the domain back to the company, which he did.

      That guy, years later, ended up being my boss and making six figures. It pays to be clever on occasion. He always joked that the company could have sued him for what he did to get the domain back anyway but he was impressed the president thanked him and asked for it back personally.

    2. Re: oh. so nobody's actively managing them? by corychristison · · Score: 3, Interesting

      Was the domain being used? Or just squatting on it?

      If you were actively using it, and it expired, you have a grace period of anywhere from 30 days to 90 days depending on the TLD, when this happened and who the registrar was/is.

      With that said, your point is completely valid. Domain names, SSL certificates, and hosting accounts tend to be forgotten. I own a web design/development/hosting company. We actively maintain records of who we need to be dealing with, as well as their managers in the event our contact stops responding. As well, we introduced a fully managed service in which we manage everything for our clients, and we send them a single monthly invoice. Because it is billed every month, their services continue to Just Workâ, and in turn we are keeping consistent contact with them.

      We have had the most problems with non-profit organizations. They are typically volunteer run, with a high turn over rate.

    3. Re: oh. so nobody's actively managing them? by Anonymous Coward · · Score: 1

      It's quite obvious you don't understand how domain name grace & renewal periods work, then.

      When your domain name expires, it immediately becomes unusable. Sometimes the registry changes the name servers, sometimes it simply fails to resolve. The grace period is an extension in time in which you (or your company) can renew it. It does not stay active, but can ONLY be renewed by the current owner.

      In order to register an expired domain name you didn't own before it expired, you have to wait until the grace/renewal period is over, then the domain gets placed in a To Be Released Auction and auctioned off to interested parties. The whole process from expiration to release is anywhere from 45 to 90 days. Even then, I've seen domains get delayed being put on a TBR list for months after expiration.

      I asked "Was the domain being used? Or just squatting on it?" because:

      - If the domain was in use (ie. The companies primary web address), it would take (on average) 3 months before someone who is not the current owner to register said domain. If my companies primary website was down for 3 months, and someone didn't notice until after the grace/recovery period, then there is something seriously wrong with the company.

      - If they were squatting on it, and no-one noticed, its a completely different story.

    4. Re: oh. so nobody's actively managing them? by corychristison · · Score: 1

      Typically we are dealing with IT staff, and Accounts Payable. Titles don't mean much in these area's, so knowing the managers of the departments is useful.

      I certainly see your point, though. There are plenty of movers and shakers out there.

  4. FTFA by Bill,+Shooter+of+Bul · · Score: 4, Insightful

    “All major browsers will alert users of a site using an expired certificate, and of the 107k affected, only 30k were not expired, and so would no longer be trusted by Mozilla as a result of their recent change,”

    So not 107K, only 30k. And that's not a real issue. The browsers are correct, the connection isn't secure at 1024. People can complain as much as they want, trust is not something that is eternally granted without condition.

    --
    Well.. maybe. Or Maybe not. But Definitely not sort of.
    1. Re:FTFA by thegarbz · · Score: 3, Insightful

      trust is not something that is eternally granted without condition.

      The condition being to grease the palms of a third party?

    2. Re:FTFA by bondsbw · · Score: 1

      People can complain as much as they want

      Yep, that about sums up the Internet.

      --
      All my liberal friends think I'm a conservative, all my conservative friends think I'm a liberal.
    3. Re:FTFA by Bill,+Shooter+of+Bul · · Score: 1

      I really don't understand people's hang up with the fee. Certs are cheap as hell. I understand they don't really do that much to verify any one's identity, but its so freaking cheap.

      How much abuse is there with fake certificates being issued? I've only heard about a couple of cases. Its better than nothing, and certainly worth the small amount of money.

      --
      Well.. maybe. Or Maybe not. But Definitely not sort of.
    4. Re:FTFA by skids · · Score: 2

      People can complain as much as they want

      Yep, that about sums up the Internet.

      Only half. The other half is "and still get screwed over."

      The cert authorities as a whole, following NIST recommendations, decided to not just stop issuing 1024 certs, but also to revoke their 1024 root certs, so anything checking CRLs would just break. Months before the actual deadline. They could have just let those certs run out on schedule, but that wasn't good enough for NIST. Moreso, they could have only sold them such that they ran out on schedule (we were sold a 5-year 1024bit cert in 2009 when the deadline had been set at EOY 2011 since 2005). After an extension by NIST from EOY2011 to EOY2013, made in 2011, the number of certs issued with expiry times much past the deadline was likely pretty small (so in case the NIST estimate of when someone would have the compute power to crack our cert was off by 6 months, we had to swap it out a year early distracting us in the middle of more important things.) Anyone concerned enough to worry that an obscene amount of CPU power would be dedicated to compromising their particular cert would have changed them voluntarily, and even the laggards would have likely made it under the wire before any serious attack on their crypto infrastructure. Finally, lots of people use these certs in internal settings where the crypto isn't the sole security and the real value of the cert isn't crypto but the fact that users don't have to install a site-owned PKI CA root certificate to get the "annoying popups" to stop.

      Sooo... it was fortunate that almost nothing was checking CRLs during all that, though as a general state of affairs that also needs to be fixed.

      Oh sure, the CAs offered free bridge certs to "make up" for the whole thing. Not good enough. They should have comped an extra year on for free or something. Since they didn't there should have been class action suit to make them pay for the hassle.

      People need to quit breaking shit on a whim.

      --
      Someone had to do it.
    5. Re:FTFA by lolococo · · Score: 1

      So are you saying that money buys trust? How cynical. Let's see how well that goes down in the future.

      The whole SSL ecosystem is based on the fact that you can absolutely trust the certificate authorities. The corollary to this is that, if a single CA is breached, then the whole system becomes untrustworthy. I'm confused as to why most of us still refuse to see that. Propoganda and disinformation? Well, the SSL world definitely represents a huge business, and it's clear none of its stakeholders is willing to see it blow up in smoke. Why let the facts and the truth get in the way of business?

    6. Re:FTFA by RabidReindeer · · Score: 1

      Yes. It's being dropped because it gave the illusion of security without the actuality.

      Unfortunately, a LOT of very public websites are running on old expired certs, which isn't really any better.

      People need to stop thinking that "software doesn't wear out" - meaning in this case, the security vouchers. Bits may remain unchanged, but the world does not, and if you expect the entire cost of the system is what you paid for at the "cash register" without accounting for ongoing maintenance, you're a fool.

    7. Re:FTFA by Bill,+Shooter+of+Bul · · Score: 1

      "So are you saying that money buys trust"

      No.

      "The whole SSL ecosystem is based on the fact that you can absolutely trust the certificate authorities."

      No, it isn't. Trust is not absolute. Learn this. Please.

      --
      Well.. maybe. Or Maybe not. But Definitely not sort of.
  5. The more paranoid you are, the less you trust by penguinoid · · Score: 1

    An unavoidable side effect of trusting less is that you trust less. In this case, ancient websites using outdated crypto, won't be trusted. Most of which already are no longer trusted due to expired certificates.

    --
    Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
  6. Several things might happen by Streetlight · · Score: 2

    1. If all these sites renew or get proper certificates it'll be a big improvement in cash for the Certificate Authorities.

    2. Maybe most of these un-certificated sites will disappear, though it won't mean much for internet congestion if most are not accessed anyway.

    3. Maybe swschard's comment that hackers will have a field day is true, although to what benefit to hackers or detriment to site users?

    --
    In a time of universal deceit, telling the truth is a revolutionary act. George Orwell
  7. Good by Threni · · Score: 4, Interesting

    A browser not trusting something that's not to be trusted is a positive thing. Yes, some old sites will suffer. That's how it's supposed to work. They'd better up their game. People expect security to be take more seriously these days, as there is more at stake and more muppets with a lot of time on their hands trying to attack you.

    1. Re:Good by Anonymous Coward · · Score: 1

      I agree, but the danger is that when people see more and more security warnings for sites that they trust or that seem legitimate, they will learn to click through all warnings. Non-browser-related example (because who in their right mind would run Java in a browser): For every Java update I get a "revocation information not available" error. Apparently Oracle can't handle their certificates appropriately. They're not likely to fix it. What should I do? Of course I click through it, because an old Java version is definitely worse than a broken certificate.

    2. Re:Good by Hamsterdan · · Score: 1

      "they will learn to click through all warnings". Kinda Vista's UAC did for Windows users. Besides, people will go to great lenghts to see lolcats.

      --
      I've got better things to do tonight than die.
  8. The way firefox manages this... by Skuld-Chan · · Score: 3, Insightful

    Firefox doesn't support the OS's built in certificate stores, which makes it a really big pain in the ass to manage certs yourself (like if your managing certs for firefox users at your company) - you basically have to compile certutil and write all kinds of fun scripts for client devices.

    If firefox let me co-manage certs I could just re-add the deprecated cert :).

    1. Re:The way firefox manages this... by kimvette · · Score: 1

      Firefox is becoming a real pain in the ass when it comes to certs. I can see displaying a "ZOMG!!! WARNING!!!" when trying to load a low-bit cert, but it fails completely, which makes it unusable for managing more and more enterprise appliances, some of them being brand new. One could go to each and every appliance and LOM module and generate a new high-bit cert but if you've got enough of them in your data center it's a royal pain in the ass to do so.

      The solution? Use any browser other than firefox.

      --
      The Christian Right is Neither (Christian nor right). See: Matthew 23, Matthew 25, Ezekiel 16:48-50
    2. Re:The way firefox manages this... by Anonymous Coward · · Score: 1

      Actually, I like the way that Firefox manages CA.

      Where I work, they have pushed CA's to PCs. When I connect to https://mail.google.com, and several other sites, in IE or Chrome, no warning. The company's MITB computer is not detected. When I connect with Firefox, I get the proper warning.

      Of course, most people think that Firefox is the problem and prefer Chrome until I explain what's really going on. If I want to add the company's CA manually, I can but at least it's my choice.

  9. And of those trusted by Mister+Liberty · · Score: 1

    you'll never know how many you can't trust.

  10. Math. by msauve · · Score: 3, Insightful

    "Grouping those 107,000-plus sites by certificate expiration date, the results show that 76,185 certificates had expired as of Aug. 25"

    So, the headline should really say 31,000, since 76,000 shouldn't be trusted regardless of what Mozilla does.

    --
    "National Security is the chief cause of national insecurity." - Celine's First Law
    1. Re:Math. by afidel · · Score: 1

      It's much more important than the 31k affected sites, 1024 roots are weak enough targets that just about any nation state and many crime syndicates can create a flood of valid and trusted certs just by factoring the private key of that one CA cert.

      --
      There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
    2. Re:Math. by msauve · · Score: 1

      "It's much more important than the 31k affected sites"

      If there are only 31K affected sites, how can it be "more important" than that? The rationalization you give only applies to sites with 1024 roots, which has been stipulated to be those 31K. Where's the "more?"

      --
      "National Security is the chief cause of national insecurity." - Celine's First Law
  11. Re:You know who I don't trust? by Charliemopps · · Score: 1

    Anyone but self-signed Certificate providers.

    All certs effectively do is provide encryption. The whole "provides identity" thing is a myth because there is *no* way to ensure such a thing. There's about a zillion ways to fake that identity. Encryption is guaranteed. Unbreakable encryption is not. That's all you get. That's all you'll *ever* get.

    Browser "trust" warnings are nothing more than scare tactics designed by the cert manufacturers, in collusion with browser manufacturers, designed to build a completely unnecessary industry for scamming web site owners out of a huge amount of completely wasted money. Wasted other than funding the cert provider parasites, that is.

    Using your reasoning, I could very well be living my life in an NSA created virtual world, so any conversation I have in any capacity at all could be monitored at any time. Even my thoughts! So there is no reason for any of this security what-so-ever and it's all a scam by evil virtual corporations to steel my fake virtual money. Right?

  12. Re:So 1024 Bits Not Enough Now? by wonkey_monkey · · Score: 1

    I'm going to go out on a limb and suggest (and this is just a hunch) that you don't know what you're talking about.

    --
    systemd is Roko's Basilisk.
  13. Re:So 1024 Bits Not Enough Now? by heypete · · Score: 5, Informative

    Symmetric and asymmetric keys are different things and have different key lengths. One cannot directly compare key sizes between two wholly different classes of ciphers. There are numerous reasons, mostly involving arcane mathematics, why asymmetric ciphers require longer key lengths than symmetric ciphers to offer similar levels of protection.

    For example, a 1024-bit RSA key (RSA is an asymmetric cipher) is essentially equivalent to an 80-bit symmetric key (AES, 3DES, etc. are symmetric ciphers). SHA1, a hashing algorithm, provides less than 80 bits of security; those wishing stronger signatures are switching to SHA-256 (which offers 128 bits of security) and SHA-512 (which offers 256 bits).

    A 2048-bit RSA key, such as those used by most CAs and web servers these days, has the same strength as a 112-bit symmetric key. NIST says they should be good enough until around 2030.

    3072-bit RSA keys offer the same strength as a 128-bit symmetric key. A whopping 15,360-bit RSA key would be needed for 256-bit security; the same level of security could be achieved with a 512-bit elliptic curve key, which would be much, much faster than such a large RSA key.

  14. Meh! by Anonymous Coward · · Score: 2, Insightful

    So basically the net effect will be another warning page to click through when visiting the sites in question? Do end users really know what any of this stuff really menas?

  15. And I care about this why ?? by UnknownSoldier · · Score: 1

    Seriously, how does this effect web browsing for the average Joe?

    1. Re:And I care about this why ?? by Nimey · · Score: 2

      If you visit an affected website in Firefox 32+ it'll warn you about the SSL certificate and you'll have to take a couple extra steps to visit it. For you it's an inconvenience, but only if you use one of these sites. For the website operator maybe it'll shame them into getting an updated certificate.

      --
      Hail Eris, full of mischief...

      E pluribus sanguinem
  16. Re:So 1024 Bits Not Enough Now? by leathered · · Score: 1

    I was thinking the same, and I'm no expert in cryptography. After all distributed.net have spent 12 years trying to brute-force a 72-bit key and have only managed to test 3% of the total keys. 2^1024 is such a mind-bogglingly large number the entire world's computers couldn't crack it in a billion lifetimes.

    Anyway, wiki to the rescue:

    As of 2003 RSA Security claims that 1024-bit RSA keys are equivalent in strength to 80-bit symmetric keys, 2048-bit RSA keys to 112-bit symmetric keys and 3072-bit RSA keys to 128-bit symmetric keys. RSA claims that 1024-bit keys are likely to become crackable some time between 2006 and 2010 and that 2048-bit keys are sufficient until 2030. An RSA key length of 3072 bits should be used if security is required beyond 2030.[6] NIST key management guidelines further suggest that 15360-bit RSA keys are equivalent in strength to 256-bit symmetric keys.

    --
    For all intensive porpoises your a bunch of rediculous loosers
  17. Exaggerated, somewhat hysterical decision by Anonymous Coward · · Score: 2, Insightful

    RSA-1024 are still safe, despite what many fearmongers have been preaching for years. It was only a few days ago
    (http://www.newscientist.com/article/dn26135-factorisation-factory-smashes-numbercracking-record.html?cmpid=RSS|NSNS|2012-GLOBAL|online-
    news#.VAXRfDzYvyF) that a new factorization record was announced. It is a roughly 1,024-bit integer - but it took 2000 high end-PC years, and it is a Mersenne integer - orders of magnitude easier to factorize than an integer of similar size obtained as the product of two large primes, which is what one does in the RSA algorithm.

    Short of sudden, unexpected and dramatic breakthroughs in the fields of mathematical integer factorization, or quantum computing, RSA-1024 keys still have quite a few years of usefulness ahead.

    1. Re:Exaggerated, somewhat hysterical decision by Dahan · · Score: 3, Interesting

      Who cares how many "high end-PC years" it took? Nobody's going to try to factor a 1024-bit modulus using a single high-end PC. It took 4 actual years to factor 10 numbers. And why do you think someone who wants to factor the RSA modulus for a 1024-bit CA cert would have waited until today to start the process? Those certs have been around for over 10 years; if someone with enough computing power wanted to factor one, they could be done by now.

  18. Re:So 1024 Bits Not Enough Now? by 93+Escort+Wagon · · Score: 1

    ... the same level of security could be achieved with a 512-bit elliptic curve key, which would be much, much faster than such a large RSA key.

    It'd be faster for the NSA too - it's a win-win!

    --
    #DeleteChrome
  19. Re:Unable to add exception (w/ workaround) by IonOtter · · Score: 1

    Is this alteration specific to self-signed appliances, like a NAS? Or would this bypass for all self-signed certificates?

    Also, this sounds like a good thing to keep a record of, with regards to documenting changes in your about:config.

    --
    [End Of Line]
  20. Comment removed by account_deleted · · Score: 1

    Comment removed based on user account deletion

  21. Re:You know who I don't trust? by the_Bionic_lemming · · Score: 1

    try being in business and signing your own cert.

    Let me know how many tech calls you get because Norton deletes your web delivered exe.

    scare or not - It's a money problem unfairly placed on developers.

    --
    _ _ _ Go for the eyes Boo! GO FOR THE EYES!
  22. The way firefox manages this... by Anonymous Coward · · Score: 1

    And that's probably why they don't, captcha prorate

  23. They declared that security required, https by raymorris · · Score: 1

    The sites got certificates and installed them several years ago, before thw current "https everywhere " trend. In other words, they decided that because they were handling sensitive information, they needed a secure connection. Maybe they have an order form,that accepts credit cards, whatever. For some reason, they needed to be more secured than most sites. The URL in the address bar says "https", indicating that it is secured. We know that although they publicly declared that their site should be secured, it isn't.

    Contrast xkcd.com. Randall didn't get a certificate, because you don't need a secured connection to look at nerd comics. Which site presents a security risk? The site that has no need of tls, or the site that needs to be secured, but isn't?

    * xkcd might actually have a cert, if they sell stuff on the site or whatever. I didn't bother checking because it's beside the point whether that specific site uses a cert.

    1. Re:They declared that security required, https by WuphonsReach · · Score: 1

      Even if you don't do financial transactions on your site - consumers / customers / users are getting more savvy and want *any* personal information to be encrypted in transit. Login details are naturally something that should always be encrypted, but that also extends to things as mundane as URL history or search terms.

      I just wish DANE was farther along (plus DNSSEC).

      --
      Wolde you bothe eate your cake, and have your cake?
  24. Re:So 1024 Bits Not Enough Now? by dkf · · Score: 1

    You're confusing the cost of legitimate operations with the cost of searching the key space. You don't want legit users to bear too much cost since everyone ends up paying that over and over, but you do want the cost of searching to be high since that's not something that people should be doing.

    --
    "Little does he know, but there is no 'I' in 'Idiot'!"
  25. Good!!! by LostMyBeaver · · Score: 1

    Remember that the exponential math in DH and RSA is called a HARD problem, not and impossible one. Consider that regarding key strength 1024 bits of RSA is not very secure in today's world. I'm not saying it's cracked... Just weak.

  26. Re:You know who I don't trust? by sjames · · Score: 1

    While GP's statement was over the top, it isn't ENTIRELY off base. Lets consider, you connect to a site via. https and look at the cert.

    According to the cert, ajaxco says the site is example.com (as expected). But wait, who the hell is ajaxco? Ever heard of them? Any idea how quality oriented they are? How do they KNOW example.com is the one and only example.com? Did they send an investigator? Did they do a corporate records search (for a personal web site, yeah sure)? Or did they make the person who requested the cert pinkie swear?

    For all you know, ajaxco, a division of fly-by-night industries gave the cert to the owner's brother-in-law with no concern for correctness whatsoever.

    Or perhaps the CA means to be legit but failed to secure their signing key (it HAS happened) and the cert was actually signed by none other than the Russian Mafia.

    Perhaps a government somewhere ordered a CA in their jurisdiction to sign the bogus cert. That government may or may not be corrupt.

    But you have the ILLUSION that you know who you are talking to.

    As for the costs, the market has had 20 years to work that out and it has failed.

  27. Seems kind of pointless- the DNS has to be subver by raymorris · · Score: 1

    DANE seems very nearly pointless to me. Maybe I'm mising something. The victim goes to Paypal.com. Their browser checks the certificate to make sure it's really Paypal.com, as opposed to a MITM or someone who hijacked Paypal's DNS. That's the typical use for TLS, right?

    So checking the cert is supposed to protect the user from an adversary who can intercept packets addressed to Paypal.com and send back bogus responses. That means the adversary can intercept DNS packets intended for Paypal.com and respond wuth a bogus cert record. Nothing has been gained unless you can independently verify the DNS records using some other mechanism. It's proposed that DNSSEC be used for this. DNSSEC basically means the DNS record is signed, so to trust the DNS we need to validate the cert used to sign the DNS. Okay, soall we have to do is find a way to validate a DNS signing cert. If we can validate that cert, we can trust the ssl cert.

    Hmm, we validate someone's cert by first validating their cert? I don't think we've made any progress toward solving the problem.

  28. Re:Seems kind of pointless- the DNS has to be subv by WuphonsReach · · Score: 1

    DANE is mostly to guard against rogue CAs. CA #1 cannot sign a certificate claiming to represent the domain that was actually certified by CA #2. So it limits the amount of damage that a rogue CA can get away with.

    It may also eliminate the need for CAs and certificate altogether. You just store the public half of your certs in the DNS system.

    --
    Wolde you bothe eate your cake, and have your cake?
  29. Re:Seems kind of pointless- the DNS has to be subv by raymorris · · Score: 1

    -> It may also eliminate the need for CAs and certificate altogether. You just store the public half of your certs in the DNS system

    That's the problem. By the time a TLS certificate comes into play, the DNS must have already been compromised (directly or via mitm). The certificate is designed to alert you if the server you're talking to isn't who you think it is - based on DNS.