In Bug 942515, we configured Firefox to reject SHA-1 certificates with a notBefore date after 2016-01-01. That appears to be causing some users with MitM software installed to be unable to access any HTTPS sites. https://groups.google.com/d/topic/mozilla.dev.platform/ZNKxYgIk_Sg/discussion In order to enable measurement of the scope of this risk, we should (temporarily) change the default preference to accept all valid SHA-1 certificates, regardless of issance date.
Review commit: https://reviewboard.mozilla.org/r/29585/diff/#index_header See other reviews: https://reviewboard.mozilla.org/r/29585/
Comment on attachment 8704226 [details] MozReview Request: Bug 1236975 - Re-enable SHA-1 certificates r?keeler Review request updated; see interdiff: https://reviewboard.mozilla.org/r/29585/diff/1-2/
Tracked for 44 and 45.
Attachment #8704226 - Flags: review?(dkeeler) → review+
Comment on attachment 8704226 [details] MozReview Request: Bug 1236975 - Re-enable SHA-1 certificates r?keeler https://reviewboard.mozilla.org/r/29585/#review26395 r=me :(
Comment on attachment 8704226 [details] MozReview Request: Bug 1236975 - Re-enable SHA-1 certificates r?keeler https://reviewboard.mozilla.org/r/29585/#review26409
Attachment #8704226 - Flags: review+
Comment on attachment 8704226 [details] MozReview Request: Bug 1236975 - Re-enable SHA-1 certificates r?keeler Approval Request Comment [Feature/regressing bug #]: 942515 [User impact if declined]: Some users may be unable to access HTTPS sites [Describe test coverage new/current, TreeHerder]: https://treeherder.mozilla.org/#/jobs?repo=mozilla-inbound&revision=dab1794bd567 [Risks and why]: Minimal. Reverting to state as of release. [String/UUID change made/needed]: N/A
I don't think we need to be in a rush to re-enable SHA-1 for ESR at the moment, but we have to make a call on that before we release 38.6.0esr.
Comment on attachment 8704226 [details] MozReview Request: Bug 1236975 - Re-enable SHA-1 certificates r?keeler Approved for uplift to aurora, beta, and release as this will help us assess the impact of this change on users.
Attachment #8704226 - Flags: approval-mozilla-release?
Attachment #8704226 - Flags: approval-mozilla-release+
Attachment #8704226 - Flags: approval-mozilla-beta?
Attachment #8704226 - Flags: approval-mozilla-beta+
Attachment #8704226 - Flags: approval-mozilla-aurora?
Attachment #8704226 - Flags: approval-mozilla-aurora+
This isn't affecting ESR after all; it's planned for 45esr instead.
https://hg.mozilla.org/releases/mozilla-release/rev/d83046b974f3 I'll uplift to aurora/beta in a bit.
Liz, do you think this matter needs our attention? Please let us know if you consider there's something we should cover here.
3 years ago
3 years ago
Updated the site compat doc... https://www.fxsitecompat.com/en-US/docs/2015/sha-1-based-certificates-with-validity-period-from-2016-will-not-be-validated/
Cornel, it would be great to verify the fix if you can reproduce the original problem. That means finding antivirus software or junkware that reproduces the original problem. I'm not sure we need to do that here. This reverts the pref back to what it was at the end of December, so I am not too worried about the risk of breaking something with this change.
OK, so this provides a short-term fix, and the long-term fix is the device vendor's job. Is there a medium-term fix? For example, could Firefox distinguish between the case where the root certificate is shipped with Firefox and when it is added by the user or system administrator, and only allow SHA-1 certs in the latter case? (I think that's what Microsoft are doing.) Or perhaps even make this an option on a per-root-certificate basis? So the user or system administrator can take the man-in-the-middle device's root certificate and set a flag on it meaning "allow SHA-1 certificates signed by this certificate"?
[bugday-20160323] Status: RESOLVED,FIXED -> UNVERIFIED Comments: STR: Not clear. Developer specific testing Component: Name Firefox Version 46.0b9 Build ID 20160322075646 Update Channel beta User Agent Mozilla/5.0 (Windows NT 6.1; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0 OS Windows 7 SP1 x86_64 Expected Results: Developer specific testing Actual Results: As expected
You need to log in before you can comment on or make changes to this bug.