1137484 - Show Untrusted Connection Error when cert in chain uses less than RSA 2048 signatures

Status: RESOLVED FIXED

(Core :: Security: PSM, enhancement, P1)

Description

[Dana Keeler (she/her) [:keeler]]

+++ This bug was initially created as a clone of Bug #1049740 +++

According to Mozilla Policy and the CA/Browser Forum Baseline Requirements, certificates should now have RSA key sizes of RSA 2048 bits are stronger.

https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/maintenance/
"8. We consider the following algorithms and key sizes to be acceptable and supported in Mozilla products: 
... RSA 2048 bits or higher; and
RSA 1024 bits (only until December 31, 2013)."
and
"9. We expect CAs to maintain current best practices to prevent algorithm attacks against certificates. As such, the following steps will be taken: 
... all end-entity certificates with RSA key sizes smaller than 2048 bits must expire by December 31, 2013;
after December 31, 2013, Mozilla will disable or remove all root certificates with RSA key sizes smaller than 2048 bits"

CA/Browser Forum Baseline Requirements, Appendix A:
"Subordinate CA Certificates - Validity period beginning after 31 Dec 2010 or ending after 31 Dec 2013 -
Minimum RSA modulus size (bits) - 2048"
and
"Subscriber Certificates - Validity period ending after 31 Dec 2013 -
Minimum RSA modulus size (bits) - 2048"

So we should start showing the Untrusted Connection error when we encounter certificates in the chain that use less than RSA 2048 signatures.

Comment 1

[Brian Smith (:briansmith, :bsmith, use NEEDINFO?)]

The telemetry gathered so far doesn't look good. I think we need to implement bug 657228 first.

Comment 2

[J.C. Jones [:jcj] (he/they)]

I think that whenever we eventually proceed with this, we should do it as a pref that we can experiment with via a Shield Study.

(As of Firefox 51's telemetry, 0.29% of auth keys and 3% of key agreement keys are RSA 1024, which makes sense as those are no longer permitted by the Baseline Requirements as of 2013-12-31, so they are rapidly expiring.)

Comment 3

[Dana Keeler (she/her) [:keeler]]

Attachment: Bug 1137484 - enforce 2048-bit RSA minimum for certificates issued by built-in roots r?jschanck

Comment 4

[Pulsebot]

Pushed by dkeeler@mozilla.com:
https://github.com/mozilla-firefox/firefox/commit/8d659bf1b2a6
https://hg.mozilla.org/integration/autoland/rev/3a72cb94d54a
enforce 2048-bit RSA minimum for certificates issued by built-in roots r=jschanck

Comment 5

[rperta]

https://hg.mozilla.org/mozilla-central/rev/3a72cb94d54a

Comment 6

[Ryan VanderMeulen [:RyanVM]]

This seems like something we might want to call out in the release notes. Please nominate if you agree.

Comment 7

[Mike Kaply [:mkaply]]

This seems like quite a jump from an 8 year comment to a fix :).

What does the telemetry look like?

What happened to cause this to happen now?

Comment 8

[Dana Keeler (she/her) [:keeler]]

I don't know that we need to include this in the release notes. Folks already shouldn't have been able to get <2048-bit RSA certificates from publicly-trusted CAs, and private CAs are unaffected.

(In reply to Mike Kaply [:mkaply] from comment #7)

What does the telemetry look like?

A maximum of ~0.05% of connections may be affected (https://sql.telemetry.mozilla.org/queries/95643#237252) (compare to ~1.5% of connections that already fail for other reasons), but again, publicly-trusted CAs shouldn't be issuing these certificates, so the actual number of affected connections should be 0.

What happened to cause this to happen now?

We should have done this a long time ago. The baseline requirements forbade this more than a decade ago, and we've had intermediate preloading to bridge any intermediate issues for a few years now.