Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mozilla Breaks Its Own Promise, Allows Symantec To Issue Insecure Certificates (softpedia.com)

Posted by BeauHD on from the show-no-mercy dept.

An anonymous reader writes: After researchers discovered that SHA-1 can be decrypted, Mozilla, together with Microsoft and Google, said they will no longer "trust" SHA-1-based certificates issued after January 1, 2016, and later stop supporting any type of SHA-1 certificates after June 30, 2016, or January 1, 2017. The foundation went back on its word this week, when Symantec begged Mozilla to allow it to issue nine new certificates for one of its clients, Worldpay PLC, which forgot to request these certificates before January 1. Symantec got what it wanted. Fortunately, other companies like Microsoft, Apple, or Google didn't cave under the pressure.

3 of 86 comments (clear)

  1. Choice of words? by buchner.johannes · · Score: 3, Insightful

    Hashes are not encryption. Plans are not promises.

    --
    NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
    1. Re:Choice of words? by arglebargle_xiv · · Score: 5, Insightful

      Oh dear Cthulhu, how can you get a simple summary wrong on so many levels?

      • Firstly, SHA-1 is a hash function, not a cipher, so you can't "decrypt it".
      • Secondly, there's no immediate attack on it, it's just known to not be as strong as it should be. With a couple of simple precautions (e.g. using a high-entropy cert serial number) you can make it more resistant to known issues. It's not a total fix, but it helps.
      • Thirdly, Mozilla doesn't control Symantec. Symantec were asked by a private customer to be allowed to use a small number of SHA-1 certs for their payment terminals, which have absolutely nothing to do with Mozilla.
      • Fourthly, "other companies" have nothing to do with it, this is a decision by the CA. It just happened to be discussed on the Mozilla forums.
      • ...
      • Twenty-fifthly, it's a pretty odd distinction to make over cert issuance, if they'd issued a few weeks earlier (before the end of 2015) they'd have got cert with a one-year validity, so valid till the end of 2016. By not having them issued until now they're supposed to get one with an effective zero validity. All this is doing is allowing a private user with no connection to Mozilla to get the same effect as if it had bought the certs a few weeks ago.
      • Twenty-sixthly, ...
  2. What ever happened to tough shit? by thegarbz · · Score: 4, Insightful

    So this "blunder" means that user's payments aren't going through, and now the work around is to ensure the user's payments are no longer secure?

    Sorry but I'd prefer my payment to not go through. I want no business with people who refuse to secure my financial transactions, I mean it's not like there wasn't a warning. Mozilla is again showing that they don't give a shit about users.

    But the article gives rise to another interesting issue, it implies there may have been a rush on renewals for SHA-1 certs. This kicking the can down the road approach deserves naming and shaming.