Closed Bug 1236664 Opened 10 years ago Closed 3 years ago

Users who have "Simmons Connect Research Application" cannot access any HTTPS pages after January 1st 2016

Categories

(Web Compatibility :: Site Reports, defect, P5)

Product:
Web Compatibility
Component:
Site Reports
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED WORKSFORME

People

(Reporter: dholbert, Unassigned)

Details

(Keywords: webcompat:site-wait, Whiteboard: [sitewait])

(For background, see this thread: https://groups.google.com/d/msg/mozilla.dev.platform/ZNKxYgIk_Sg/xEx4K1q0BQAJ ) According to a user report, the consumer-profiling tool "Simmons Connect Research Application" completely breaks HTTPS sites in Firefox, starting on January 1st. This tool installs a local HTTPS man-in-the-middle / proxy, which generates HTTPS certificates dynamically. Unfortunately, it does so using the deprecated SHA1 algorithm. Starting January 1st, Firefox treats any recently-issued certs that use SHA1, because legitimate certificate authorities are no longer issuing such certificates. More on that here: https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-sha-1-based-signature-algorithms/ Filing this bug for any outreach/triage that we need to do on our end. I've reached out to Experian over twitter, and I submitted an inquiry via their web portal for "Simmons Connect Research Application" (which is geared at customers, so I expect I'll get a call from a sales rep). I also reached out to "Digital Market Research Apps", which is the company that's reported as the issuer of the dynamically-generated certificates. Text of my message is here: https://groups.google.com/d/msg/mozilla.dev.platform/ZNKxYgIk_Sg/-TWcH9_cBQAJ I'm tentatively offering up myself as a contact person to these companies, but I'm also happy for someone with more HTTPS/SSL know-how (Richard?) would be up for having responses directed their way.
Summary: Users with "Simmons Connect Research Application" installed cannot access any HTTPS pages after January 1st 2016 → Users who have "Simmons Connect Research Application" cannot access any HTTPS pages after January 1st 2016
(In reply to Daniel Holbert [:dholbert] from comment #0) > Starting January 1st, Firefox treats any > recently-issued certs that use SHA1, because legitimate certificate > authorities are no longer issuing such certificates. typo -- meant to say "treats any recently-issued certs that use SHA1 *as untrusted*"
An initial list of questions for them: 1. How many people have this software installed? 2. Do you have a way to automatically update those users? 3. What is your plan for updating your software to use SHA-256 to sign certificates?
<TANGENT> I haven't heard anything back from Experian yet, but I had a twitter back & forth with Ryan Sleevi (Chrome security hacker), he offered some useful information: https://twitter.com/CodingExon/status/684525306523209729 Notable points: (1) There are lots of other "security" programs that do the same thing (SSL interception with SHA1 certs). So, Experian may be one of many companies that we would need to contact about this, if we were going to try to get problematic 3rd-party apps fixed. (2) Chrome's "first phase" of SHA1 un-trusting won't make it to release for a few months. (a few weeks + 12-14 weeks of release-trains) (3) "Note that our first phase of SHA-1 deprecation (up until the 2017 cliff) is only for PTCs [...] That is, MITM software is exempted. Pros and cons of that, but certainly helps users." (PTCs = Publicly Trusted Certificates)
Got a reply to one of my inquiries. Reply was sent by digitalmarketresearchapps at au.experian.com (which seems to indicate that Digital Market Research Apps -- the issuer of the certs -- is a subsidiary of Experian): > Hi Daniel, > > Thank you for your email. > > We are currently investigating this issue internally and will provide an update to our users once we have the fixes out. > > Best regards, > Geraldine
Just sent this reply: === Hi Geraldine, Thanks for the response. We at Mozilla are also looking into ways we can mitigate this, too, for the time being. (Though, note that any mitigation will be short-term, because *all* web browsers have committed to completely dropping support for SHA-1 as of January 1, 2017. We're taking incremental steps before that, as described at https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-sha-1-based-signature-algorithms/ ) We've got a few questions, which would help us understand the scope of the problem from our perspective: 1. Approximately how many people have this "Digital Market Research Apps" HTTPS-interception software installed? 2. Do you have a way to automatically update those users? (or do they have to download & install the updates manually?) 3. What is your plan for updating the software to use SHA-256 to sign certificates? 4. Would it be possible for us to obtain a functional copy of this software that we could use for testing mitigations on our end? Thanks, ~Daniel
(In reply to Daniel Holbert [:dholbert] from comment #5) > January 1, 2017. We're taking incremental steps before that, as described s/2017/2016/g I guess ;)
Nope, I meant 2017...
Heard back from Geraldine in response to comment 5. 1) I won't publicly post the exact numbers she gave me, except to say there are probably fewer than 10,000 Firefox users with Simmons Connect. (Though there are surely other Firefox users out there who have similar MITM tools.) 2) Simmons Connect can issue "channel updates", which I assume means automatic updates. 3) Their team is currently working on supporting SHA-256. 4) They're going to send me a testing version of their software.
Whiteboard: [sitewait]
Priority: -- → P5
Product: Tech Evangelism → Web Compatibility

See bug 1547409. Moving webcompat whiteboard tags to keywords.

Keywords: webcompat:site-wait

Any news on this issue Daniel?

Flags: needinfo?(dholbert)

There was a bit more back-and-forth over email (back in 2016), between me and Geraldine and someone on our security team.

I think we ended up shipping some mitigation (maybe allowing SHA-1 a bit longer for local roots?), but presumably any local software that was affected by this was updated to no longer have this issue over the past 6 years.

Status: NEW → RESOLVED
Closed: 3 years ago
Flags: needinfo?(dholbert)
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.