Last Comment Bug 1339662 - Deprecate SHA-1 to 100% of Beta and Release Users
: Deprecate SHA-1 to 100% of Beta and Release Users
Status: RESOLVED FIXED
[psm-assigned][go-faster-system-addon]
:
Product: Core
Classification: Components
Component: Security: PSM (show other bugs)
: unspecified
: Unspecified Unspecified
P1 enhancement (vote)
: ---
Assigned To: David Keeler [:keeler] (use needinfo?)
:
: David Keeler [:keeler] (use needinfo?)
Mentors:
https://wiki.mozilla.org/Security/Cry...
Depends on: 1328718 1336616 1338228
Blocks: 1321114
  Show dependency treegraph
 
Reported: 2017-02-14 17:15 PST by J.C. Jones [:jcj]
Modified: 2017-02-28 08:21 PST (History)
11 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
1339662-disable-sha1.diff (2.44 KB, patch)
2017-02-15 16:37 PST, David Keeler [:keeler] (use needinfo?)
jjones: review+
Details | Diff | Splinter Review
disableSHA1rollout.xpi (4.77 KB, application/octet-stream)
2017-02-16 14:06 PST, David Keeler [:keeler] (use needinfo?)
no flags Details
disableSHA1rollout.xpi signed (8.65 KB, application/octet-stream)
2017-02-16 15:25 PST, Jason Thomas [:jason]
no flags Details

Description User image J.C. Jones [:jcj] 2017-02-14 17:15:39 PST
(Follow on to Bug 1328718, Bug 1336616, and Bug 1338228)

Twelve years ago yesterday, the research team of Xiaoyun Wang, Yiqun Lisa Yin, and Hongbo Yu announced that they had broken [1] SHA-1 for the first time. [2]

Per the SHA-1 Shutoff Plan [3], we're going to update the system addon's Release-channel test threshold to 100% for the week of 20 Feb 2017. The resulting addon-config will be 100% cohorts for both release and beta, permitting a 100% cohort via Go Faster.

[1] Well, found an enormous speedup from 2^160 to 2^69
[2] Wang, Xiaoyun, Yiqun Lisa Yin, and Hongbo Yu. "Collision search attacks on SHA1." (2005)
[3] https://wiki.mozilla.org/Security/CryptoEngineering/SHA-1
Comment 1 User image David Keeler [:keeler] (use needinfo?) 2017-02-15 16:37:23 PST
Created attachment 8837858 [details] [diff] [review]
1339662-disable-sha1.diff
Comment 2 User image J.C. Jones [:jcj] 2017-02-16 10:34:33 PST
Comment on attachment 8837858 [details] [diff] [review]
1339662-disable-sha1.diff

Review of attachment 8837858 [details] [diff] [review]:
-----------------------------------------------------------------

With this patch, a shatter'd visage is obscured,
Its' sneer of cold command in history orphaned.
That one whose results were long once, and secure,
But now resides, antique, imprinted on things best forgotten.
Comment 3 User image David Keeler [:keeler] (use needinfo?) 2017-02-16 14:06:07 PST
Created attachment 8838252 [details]
disableSHA1rollout.xpi

Jason, would you sign this please? Thanks!
Comment 4 User image Jason Thomas [:jason] 2017-02-16 15:25:27 PST
Created attachment 8838297 [details]
disableSHA1rollout.xpi signed

Please see attached.
Comment 5 User image David Keeler [:keeler] (use needinfo?) 2017-02-16 15:27:44 PST
Thanks!
Justin, can you confirm attachment 8838297 [details] works as expected? (It's supposed to disable SHA-1 100% of the time in beta and release). Thanks!
Comment 6 User image Cory Price [:ckprice] (bugmail disabled, NI me!) 2017-02-16 15:31:48 PST
(In reply to Jason Thomas [:jason] from comment #4)
> Created attachment 8838297 [details]
> disableSHA1rollout.xpi signed
> 
> Please see attached.
Could you please also upload this to https://ftp.mozilla.org/pub/system-addons/disableSHA1rollout/?

I'm waiting for access in bug 1312887 comment 4
Comment 7 User image Justin [:JW_SoftvisionQA] 2017-02-16 16:02:09 PST
Everything looks good and works as expected David.
Comment 8 User image David Keeler [:keeler] (use needinfo?) 2017-02-16 16:15:01 PST
Thanks!
Comment 9 User image Jason Thomas [:jason] 2017-02-17 07:59:41 PST
(In reply to Cory Price [:ckprice] from comment #6)
> (In reply to Jason Thomas [:jason] from comment #4)
> > Created attachment 8838297 [details]
> > disableSHA1rollout.xpi signed
> > 
> > Please see attached.
> Could you please also upload this to
> https://ftp.mozilla.org/pub/system-addons/disableSHA1rollout/?
> 
> I'm waiting for access in bug 1312887 comment 4

Done. https://ftp.mozilla.org/pub/system-addons/disableSHA1rollout/disableSHA1rollout.xpi
Comment 10 User image J.C. Jones [:jcj] 2017-02-21 08:19:47 PST
Error reporting data shows no uptick in volume since we've turned things on [1].

Per that and the schedule [2], I think this is ready to get into the GoFaster queue, ckprice.

[1] https://i.have.insufficient.coffee/deprecation-20170221.png
[2] https://wiki.mozilla.org/Security/CryptoEngineering/SHA-1#Planned_Sampled_Rollout_Timeline
Comment 11 User image J.C. Jones [:jcj] 2017-02-23 06:28:08 PST
And 12 years and 9 days after the first major speedup in cryptanalysis of SHA-1 (Comment #0), Google has announced they forced a collision. [1]

[1] https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html
Comment 12 User image eltrai 2017-02-23 06:39:52 PST
(In reply to J.C. Jones [:jcj] from comment #0)
> [1] Well, found an enormous speedup from 2^160 to 2^69

For the sake of correctness, it's a speedup from 2^80 to 2^69. The birthday paradox is still a factor, and this is a collision attack, not a second preimage attack.
Comment 13 User image J.C. Jones [:jcj] 2017-02-23 08:43:49 PST
(In reply to eltrai from comment #12)
> For the sake of correctness, it's a speedup from 2^80 to 2^69. The birthday
> paradox is still a factor, and this is a collision attack, not a second
> preimage attack.

The original poster is indebted for your correction, for of course you're right. :)
Comment 14 User image Liz Henry (:lizzard) (needinfo? me) 2017-02-23 09:32:21 PST
From discussion in irc with jcj and jcristau, let's move ahead with this on release 51. Good timing.....
Comment 15 User image Cory Price [:ckprice] (bugmail disabled, NI me!) 2017-02-23 09:52:03 PST
This is up on stage. /cc Thomas from data.
Comment 16 User image Ciprian Muresan [:cmuresan], Desktop Engineering QA 2017-02-24 00:33:15 PST
*** Bug 1342290 has been marked as a duplicate of this bug. ***
Comment 17 User image Alexander Kohr 2017-02-28 07:51:25 PST
Have you started rolling this out on a "test" basis to non beta firefox 51 users?

I ask as two people are having trouble accessing an December 2013 sha1 certificated that still has several months until it expires. Neither believe that they signed up for the Firefox beta Program, however their firefox 51.0.1 has disableSHA1.rollout.cohort set to "test" unlike the other 51.0.1 users whom either don't have the that preference name or have it set to "control".
Comment 18 User image J.C. Jones [:jcj] 2017-02-28 08:05:10 PST
(In reply to Alexander Kohr from comment #17)
> Have you started rolling this out on a "test" basis to non beta firefox 51
> users?

Yes, this was released Friday to all Firefox 51 users. [1] Some percentage of Firefox users don't receive these kinds of updates, though, and will only have their preference changed when they upgrade to 52. ESR users will get it in ESR 52.

Continued use of SHA-1 certificates issued through the Mozilla root program will require adjusting the security.pki.sha1_enforcement_level to either 4 (permit certificates pre-2016) or 0 (allow all SHA-1).

[1] https://blog.mozilla.org/security/2017/02/23/the-end-of-sha-1-on-the-public-web/
Comment 19 User image Alexander Kohr 2017-02-28 08:21:53 PST
Thanks You. My initial web search seem to have missed the Febuary 23rd 2017 blog post about this at https://blog.mozilla.org/security/. I'll be doing the right thing a pushing for the server to update to be updated to a sha2 certificate.

Note You need to log in before you can comment on or make changes to this bug.