Mozilla Breaks Its Own Promise, Allows Symantec To Issue Insecure Certificates

An anonymous reader writes: After researchers discovered that SHA-1 can be decrypted, Mozilla, together with Microsoft and Google, said they will no longer "trust" SHA-1-based certificates issued after January 1, 2016, and later stop supporting any type of SHA-1 certificates after June 30, 2016, or January 1, 2017. The foundation went back on its word this week, when Symantec begged Mozilla to allow it to issue nine new certificates for one of its clients, Worldpay PLC, which forgot to request these certificates before January 1. Symantec got what it wanted. Fortunately, other companies like Microsoft, Apple, or Google didn't cave under the pressure.

Choice of words?

[buchner.johannes]

Hashes are not encryption. Plans are not promises.

Re:Choice of words?

[marcansoft]

And this has nothing to do with trusting SHA-1 certificates in browsers. This is purely a policy issue.

Symantec isn't asking for a whitelist. They aren't asking for an exception in browser policy. They aren't asking Mozilla to trust those certificates. What they're asking for is an exception to CA policy. They are asking to violate agreed upon CA rules by "merely" issuing certificates using a weak algorithm (browsers ought not to trust these certs, but that's irrelevant, it's the fact that they're issuing them at all that breaks the rules). In effect, what they're saying to Mozilla is "we're breaking the rules, but please don't kick us out from the root store".

If Symantec goes ahead and issues the certs, then any other trust store or entity in a position to enforce CA policy requirements (such as other browser vendors, MS, etc.) is well within their right to remove trust from Symantec roots due to a violation of CA policy.

Of course, since this is Symantec, it won't happen. They're too big to fail. They'll do it anyway and get a slap on the wrist at most. This is too minor a bending of the rules for anyone to seriously propose kicking them out. That's the problem with big CAs - nobody wants to be the guy to detrust them, because then what users will see is "this browser sucks, I can't access all these sites". And so big CAs get to ignore policy or have major security breaches (I'm looking at you, Comodo) with impunity.

Re:Choice of words?

[khasim]

There is one aspect that is hopeful:

Internally, Mozilla has agreed to allow Symantec to issue these certificates under two conditions: the entire process should be transparent, and that the certificates should expire after only 90 days.

So if the certificates expire in 90 days (and are replaced with better ones) I'm okay with that.

The part I still don't understand is why anyone would still need the old SHA-1 certificates. Are their systems THAT OLD? If so, I'm sure they have other problems that haven't been addressed.

Re:Choice of words?

[marcansoft]

One of the arguments in the e-mail discussion thread is actually reasonable: the rules say no new SHA-1 certs issued after January 1 2016, and no certs valid for >1 year. Which meant that a ton of people got last-minute certs issued in December. Those certs are valid for the whole year of 2016. WorldPay just fucked up and forgot - had they done so they would have the whole year to upgrade their terminals.

So, in a way, a 90-day cert issued today is less of a security problem than all the last-minute certs issued right at the end of 2015. From that point of view, perhaps the rules weren't defined very well. It would've made more sense to have only a NotAfter restriction: no SHA-1 certs expiring after December 31st this year, effectively a steadily decreasing maximum validity period as the year progresses. Then this wouldn't have happened.

Still, policy is policy, and the fact that Symantec is being allowed an exception (even if that exception makes some logical sense) is concerning.

As for why they need SHA-1 certs? Old POS terminals using public CA roots, and still without SHA-256 support. Welcome to the embedded world. And yes, I'm sure they have lots of other vulnerabilities.

Re:Choice of words?

e-commerce sites that target businesses. I kid you not. We had one client say that their site was broken when we removed SHA-1 acceptance. They were testing on IE8 on XP. We told them to pound sand, we weren't going to lower our security.

Re:Choice of words?

[sunderland56]

Of course, since this is Symantec, it won't happen.

I wouldn't be too sure of that. There are more than enough people out there with a simmering hatred of Symantec and the crapware they have foisted on the world.

Re:Choice of words?

[Luthair]

Not sure whether it is the case here, but apparently there are some older SSL accelerators companies are still using that only support sha1. Similarly some corporate reverse proxies only supporting sha1.

There is an about:config option which allows you to turn off sha1 certs if you like, I turned it on a while back.

Re:Choice of words?

[arglebargle_xiv]

Oh dear Cthulhu, how can you get a simple summary wrong on so many levels?

• Firstly, SHA-1 is a hash function, not a cipher, so you can't "decrypt it".
• Secondly, there's no immediate attack on it, it's just known to not be as strong as it should be. With a couple of simple precautions (e.g. using a high-entropy cert serial number) you can make it more resistant to known issues. It's not a total fix, but it helps.
• Thirdly, Mozilla doesn't control Symantec. Symantec were asked by a private customer to be allowed to use a small number of SHA-1 certs for their payment terminals, which have absolutely nothing to do with Mozilla.
• Fourthly, "other companies" have nothing to do with it, this is a decision by the CA. It just happened to be discussed on the Mozilla forums.
• ...
• Twenty-fifthly, it's a pretty odd distinction to make over cert issuance, if they'd issued a few weeks earlier (before the end of 2015) they'd have got cert with a one-year validity, so valid till the end of 2016. By not having them issued until now they're supposed to get one with an effective zero validity. All this is doing is allowing a private user with no connection to Mozilla to get the same effect as if it had bought the certs a few weeks ago.
• Twenty-sixthly, ...

Re:Choice of words?

[Man+On+Pink+Corner]

The part I still don't understand is why anyone would still need the old SHA-1 certificates. Are their systems THAT OLD? If so, I'm sure they have other problems that haven't been addressed.

Most existing Windows drivers were signed with SHA-1 code signing certificates. It's not 100% clear what's going to happen to those drivers, and the hardware they support, in future versions of Windows.

Re: Choice of words?

[guruevi]

That's all well and good but if you have a device that hasn't been updated since the mainstreaming of SHA2 (about a decade ago?), what other issues and vulnerabilities does that hardware/software have?

Re:Choice of words?

[BarbaraHudson]

This is a HUGE screw-up for a payment processor on the FTSE 100.

Re:Choice of words?

[mysidia]

Still, policy is policy, and the fact that Symantec is being allowed an exception (even if that exception makes some logical sense) is concerning.

I would suggest that in the future, CAs should be required to post a bond to get into the trust store, and there should be a financial penalty for non-compliance, AND the removal from trust store is at the option of some enforcement committee.

Preferably, the browser vendors should get together and agree to remove any certificate that the committee judges the enforcement action against, in addition to possible removal according to their own internal practices.

Re:Choice of words?

[Chuck+Chunder]

for why they need SHA-1 certs? Old POS terminals using public CA roots, and still without SHA-256 support. Welcome to the embedded world. And yes, I'm sure they have lots of other vulnerabilities.

What I don't understand (and maybe because I haven't looked too hard) is what "Old POS terminals" have to do with Mozilla. I can understand why Worldpay might need to support SHA1 for their own stuff, I don't quite get why that means a general browser should.

Indeed, perhaps it's nothing to do with the browser at all, and it just means that Symantec can issue these certs without being considered by Mozilla (the group) in breach of some agreed to policy, but that these certs still won't we accepted (if they were seen) by Mozilla (the browser).

If that is the case, then really this isn't a big deal at all. Mozilla's response just gives Worldpay a little more time to get their shit together within the current framework (the alternative, cutting them off, could be less secure, as it would probably mean Worldpay would end up rolling their own SHA1 CA and distributing that root authority to their POS terminals, perpetuating the problem indefinitely rather than giving them a short grace period to catch up)

Re:Choice of words?

[marcansoft]

Indeed, perhaps it's nothing to do with the browser at all, and it just means that Symantec can issue these certs without being considered by Mozilla (the group) in breach of some agreed to policy, but that these certs still won't we accepted (if they were seen) by Mozilla (the browser).

That is exactly what I said and exactly what this means. In fact, one of the stipulations is that the certs will be added to CRLs so that browsers explicitly distrust them.

If that is the case, then really this isn't a big deal at all. Mozilla's response just gives Worldpay a little more time to get their shit together within the current framework (the alternative, cutting them off, could be less secure, as it would probably mean Worldpay would end up rolling their own SHA1 CA and distributing that root authority to their POS terminals, perpetuating the problem indefinitely rather than giving them a short grace period to catch up)

Agreed, it's not a big deal, but it's a slippery slope. It's yet another instance of a big CA getting to bend the rules because they messed up, and it sets a precedent.

Re:Choice of words?

[Gerv]

"What I don't understand (and maybe because I haven't looked too hard) is what "Old POS terminals" have to do with Mozilla."

The certificates they are using chain up to publicly-trusted roots, and so are covered by Mozilla's policies. In 20-year hindsight, that was a bad idea, but it was a decision taken a long time ago.

Re:Choice of words?

[Provocateur]

the 90-day clause is so arbitrary, and the choice of '90' is random. Cough it up in 9 days using 10 top tier techs.
Only then do we know they are serious and on the level.

If only

Mozilla "bowed to pressure" over making a version of Firefox without pocket, australis and hello.

Mozilla needs to be shut down and replaced by a competent browser making organization.

Re: If only

Get Pale Moon.

Another sad commentary on the state of security

[rudy_wayne]

Once again we are reminded of the truly sad state of business security.

From TFA:

A company representative has informed Mozilla that one of its clients, Worldpay PLC, has asked for nine new SHA-1 certificates. Symantec explains that Worlpay has forgot to ask for nine new SHA-1 certificates for some of its servers that process SSL/TLS communications for over 10,000 payment terminals across the world. Worldpay blames this situation on a communications mishap. They say that someone forgot to ask for these certificates before the January 1 deadline.

The purpose of the January 1 deadline was supposed to be "Hey, your shit is not secure, you need to change to something else". It was NOT intended as "Hurry up and get all your shitty insecure SHA-1 certificates right away before we stop giving them out on Jan 1".

Re:Another sad commentary on the state of security

[Striek]

The problem is when those decisions end up putting someone out of business. I actually fully expected Mozilla to go Full Asshole on this; they consistently ignore the needs of users anyway. But it seems they were willing to reach a compromise, and especially in this case, I feel it's quite warranted:

Worldpay blames this situation on a communications mishap. They say that someone forgot to ask for these certificates before the January 1 deadline.

The company says they are already in the midst of the process of updating their servers to SHA-2, but this blunder now puts some of its users in danger of not having their payments go through.
-snip-
Internally, Mozilla has agreed to allow Symantec to issue these certificates under two conditions: the entire process should be transparent, and that the certificates should expire after only 90 days.

WorldPay is a rather large online payment processor - this would affect a rather large number of innocent users, which certainly wasn't the purpose behind the deadline. As much as I agree that SHA-1 based certs should be phased out, and phased out yesterday, Mozilla is right here - there are exceptions to every rule. This deadline was put in place to protect users, not put them out of business.

As a related aside, a friend of mine, a lawyer, recently asked for advice on how to store her passwords; she works as a crown prosecutor in a very tightly locked down environment. This jurisdiction's policies are so restrictive that the only workable solution employees can find to reasonably securely store passwords and logins is on their personal mobile phones - the sheer number of passwords is impossible to manage without writing them down or using a password manager (which they can't, due to application whitelisting). Yet another example of how overly restrictive security policies manage to achieve the exact opposite of their intent.

Security is a process, and a series of tradeoffs, not an absolute, and generally, those who fail to realize this end up harming the people they are supposed to protect.

Re:Another sad commentary on the state of security

[NormalVisual]

The company says they are already in the midst of the process of updating their servers to SHA-2, but this blunder now puts some of its users in danger of not having their payments go through.

I'm still not understanding why it's Mozilla's responsibility to fix an issue caused by WorldPay's irresponsibility. WorldPlay should have been ready for the new certs months ago, not still "in the midst of the process of updating their servers to SHA-2" two full months after they should have had that in production. Let WorldPay take the flak for the issue. If they can't even manage their certificate policy properly, they really have no business being a payment processor.

Re:Who Cares?

[rudy_wayne]

Well, at least Mozilla never promised that they wouldn't completely fuck up Firefox and render it irrelevant.

so...

[UVB-76]

i guess it's time to switch to chrome?

Re:so...

[eWarz]

Took you that long? Trust issues with Google aside, there were always Chromium along with other alternatives, and the platform is far superior to Firefox. Don't get me wrong, I was a Mozilla fanboy ever since they god rid of that god awful suite of applications they had and released Phoenix. etc. However, when Chrome came out, it redefined the browser market...just like the iPhone redefined the smart phone market (disclaimer: the only Apple devices I've ever owned were a Macintosh SE, SE/30, iPod Touch and a Macbook Pro...outside of dev work, I live, eat, and breath on a PC.) There is not a single browser on the market today that has the consistent speed and stability of Chrome. I even tried REALLY hard to like Firefox mobile (it has plugin support), but it was slow, unstable, and prone to freezing, just like it's desktop cousin. (Before you ask, I use almost every new version of Firefox that comes out...our test sweet tests against it)

Re:Who Cares?

[Threni]

I switched to firefox recently. It's great; the browser for android (chrome's out of the running as it doesn't support plugins,so you're stick with whatever ads or javascript the sites (and the ads running on the sites) feel like serving up) is the best out there, and the desktop one is great too. I hear people whining about firefox occasionally but i don't get it. Perhaps they're running hardware older than the 5 year old desktop i'm running.

Quid Pro Quo - Symantec

[burni2]

I would have let you pay for that favour.
I hope, but I also detest that Mozilla did exactly that.

Backdating

[El_Muerte_TDS]

Couldn't Symantec simply set the certificate date to be valid from 31 December of 2015?

Also, why would I trust Worldpay PLC with any business if they can screw up something as simple as renewing certificates?

Re:Backdating

[JenovaSynthesis]

Exactly my thought. Even more so if they're going to a more insecure cert too.

Anyone have the fingerprints of those certs?

[NecroPuppy]

So I can make sure they go in the Untrusted Certs folder where they belong?

Re:Anyone have the fingerprints of those certs?

[softnewsit]

there are 3 tweets at the end of the article the third includes links to the 9 certs symantec issued after the deadline

What ever happened to tough shit?

[thegarbz]

So this "blunder" means that user's payments aren't going through, and now the work around is to ensure the user's payments are no longer secure?

Sorry but I'd prefer my payment to not go through. I want no business with people who refuse to secure my financial transactions, I mean it's not like there wasn't a warning. Mozilla is again showing that they don't give a shit about users.

But the article gives rise to another interesting issue, it implies there may have been a rush on renewals for SHA-1 certs. This kicking the can down the road approach deserves naming and shaming.

Re:What ever happened to tough shit?

[phantomfive]

But the article gives rise to another interesting issue, it implies there may have been a rush on renewals for SHA-1 certs.

Yeah, and that's a worse issue than the one brought up by the summary.

Re:What ever happened to tough shit?

[MMC+Monster]

If the certificate gets it's 90 day extension, your payment is as secure as it was on 12/31/2015.

Of course the announcement that no new SHA-1 certificates would be issued after 12/31/2015 would mean there would be a rush to get them before that date. However, the second part was that the new certificates would be 1 year with no renewal.

Which means that if they were doing the right thing, they would have gotten them before the end of last year, and they would have expired before then end of this year.

Instead, they get them late and they expire before this Summer. It seems like it's a reasonable option in the real world.

Re:What ever happened to tough shit?

[thegarbz]

Which means that if they were doing the right thing, they would have gotten them before the end of last year, and they would have expired before then end of this year.

If they were doing the right thing they would have started upgrading their infrastructure when the vulnerability was first discovered instead of kicking the can as far as contractually possible down the road. This in itself doesn't change anything. There are people using SHA-1 which has been shown to be too weak to properly secure communications for critical connections. They should be named and shamed regardless if they upgraded their cert on the 31/12/15 or not.

Re:Who Cares?

[ArchieBunker]

I use uBlock and Disconnect and a handful of other extensions. I never have issues with ads or javascript.

Re: Another sad commentary on the state of securit

[rudy_wayne]

Man, you managed to read that far into the article but not the next 2 paragraphs. I can't tell if you're being purposefully disenginous or if your attention span is that short... For the record, the next two paragraphs state:

The company says they are already in the midst of the process of updating their servers to SHA-2, but this blunder now puts some of its users in danger of not having their payments go through.

Internally, Mozilla has agreed to allow Symantec to issue these certificates under two conditions: the entire process should be transparent, and that the certificates should expire after only 90 days.

First, why are they only "in the midst of updating" after the deadline has already has passed? This should have been done already. This goes back to my original point -- their attitude was not "hey we need to upgrade before Jan1". It was "we just need to hurry up and get some new certs before Jan 1 and then we can fuck off and do nothing for another year".

Second, what do you think is REALLY going to happen in 90 days?

Re: Another sad commentary on the state of securit

[drew_kime]

First, why are they only "in the midst of updating" after the deadline has already has passed? This should have been done already.

Payment systems upgrades can be year-long projects. Recertifying with your bank and other partners takes months. And with everyone having to do it at the same time, everyone is stretched thin getting it all done.

Re:Who Cares?

[arglebargle_xiv]

I use uBlock and Disconnect and a handful of other extensions. I never have issues with ads or javascript.

Don't worry, Mozilla are working hard to change that (via deprecation of the extension API).

Re:Who Cares?

[BarbaraHudson]

Just use the Ghostery browser on you phone - no plugins needed.

Mod parent higher.

[Futurepower(R)]

ArgleBargle, thanks for the clarifications.

What you said is the opposite of Argle Bargle: "Copious but meaningless talk or writing; nonsense".

Re:Who Cares?

[ArchieBunker]

I should have added, on Chrome.

Precedent risk, maybe, but not a technical one

The danger in issuing a certificate with a weak signature (like SHA1 today) is that the entity requesting the certificate (WorldPay in this case) is planning to take the signature from that certificate and apply it to another certificate, effectively forging the signature of the CA to create another valid certificate without the CA's blessing. In order to pull this off, the requestor needs to first find a hash collision (leveraging the weakness of the signature algorithm) and then anticipate exactly what's going to be in the issued certificate from the CA, down to the byte, before submitting the request.

Thus, the date of actual certificate issuance is the important date for security, not the date that it expires, since each passing day makes SHA-1 more breakable. But once the certificate has been issued, your window for breaking it has closed. This is the justification for disallowing any SHA1 issuance after 1/1/16, but allowing up to 39 month durations on certificates issued on 12/31/15 (though it was recommended that they expire by 12/31/16.)

In order to compensate for allowing this more dangerous issuance after the cutoff date, Mozilla imposed a requirement on these certificates that the serial number contain at least 80 random bits. This requirement effectively eliminates the risk of the SHA1 signature because now the contents of the final certificate are totally unpredictable to WorldPay. So I don't see how these certificates themselves could pose any threat to security, for those using the payment terminals in question, or for the larger internet community.

The best argument against allowing them to be issued is the precedent it sets. Will Mozilla now find themselves swimming in other such requests for the rest of the year? Mozilla had to weigh that risk against the economic damage that would have been caused to the 10,000 merchants who would suddenly lose their ability to take payments, and I personally think they made the right call.

Re:Who Cares?

[Stephen+Chadfield]

I am using Chrome with Adblock Plus on Android. As long as you can change the proxy settings for WiFi and mobile connections (and I can) it works fine. My phone (Sony Xperia Z3) is not even rooted. You have to download it from the Adblock site as Google have blocked it from the Play store.

Re: Another sad commentary on the state of securit

[chihowa]

Payment systems upgrades can be year-long projects. Recertifying with your bank and other partners takes months. And with everyone having to do it at the same time, everyone is stretched thin getting it all done.

Well, it's a good thing for them that NIST declared that "SHA-1 shall not be used for digital signature generation after December 31, 2013", back in January of 2011. They should be done with their year-long POS upgrade by sometime in 2012 at the latest.

Maybe businesses should follow actual security best practices instead of waiting for ultimatums.

Re: Another sad commentary on the state of securit

[drew_kime]

NIST isn't the standards body retailers care about. That would be PCI, the organization that determines who can take credit cards. And their deadline was not in 2013. http://www.businesswire.com/ne...

SAY IT AINT SO MOZ

[Provocateur]

The last bastion turned out to be a house of cards after all.

And Microsoft and Google weren't the highest bidders this time.

firefox me.

And there we have it...

[wardrich86]

How can anybody trust a "security" company that is literally crying to have people accept insecure certificates? Absolutely mindboggling.

It's really unfortunate, too... Symantec used to be top of the game.

Re:Who Cares?

[Threni]

No you haven't. (Note that I'm talking about Android.)