Re-enable SHA-1 certificates

RESOLVED FIXED in Firefox 43

Status

()

defect
RESOLVED FIXED
3 years ago
3 years ago

People

(Reporter: rbarnes, Assigned: rbarnes)

Tracking

({dev-doc-complete, site-compat})

unspecified
Firefox 46
Points:
---
Bug Flags:
qe-verify ?

Firefox Tracking Flags

(firefox42 unaffected, firefox43+ fixed, firefox44+ fixed, firefox45+ fixed, firefox46 fixed, firefox-esr38 unaffected, firefox-esr45- fixed)

Details

Attachments

(1 attachment)

Assignee

Description

3 years ago
In Bug 942515, we configured Firefox to reject SHA-1 certificates with a notBefore date after 2016-01-01.  That appears to be causing some users with MitM software installed to be unable to access any HTTPS sites.

https://groups.google.com/d/topic/mozilla.dev.platform/ZNKxYgIk_Sg/discussion

In order to enable measurement of the scope of this risk, we should (temporarily) change the default preference to accept all valid SHA-1 certificates, regardless of issance date.
Assignee

Comment 2

3 years ago
Comment on attachment 8704226 [details]
MozReview Request: Bug 1236975 - Re-enable SHA-1 certificates r?keeler

Review request updated; see interdiff: https://reviewboard.mozilla.org/r/29585/diff/1-2/
Attachment #8704226 - Attachment description: MozReview Request: Bug 1236975 - Re-enable SHA-1 certificates → MozReview Request: Bug 1236975 - Re-enable SHA-1 certificates r?keeler
Attachment #8704226 - Flags: review?(dkeeler)
Tracked for 44 and 45.
Assignee

Comment 5

3 years ago
Comment on attachment 8704226 [details]
MozReview Request: Bug 1236975 - Re-enable SHA-1 certificates r?keeler

https://reviewboard.mozilla.org/r/29585/#review26409
Attachment #8704226 - Flags: review+
Assignee

Comment 7

3 years ago
Comment on attachment 8704226 [details]
MozReview Request: Bug 1236975 - Re-enable SHA-1 certificates r?keeler

Approval Request Comment
[Feature/regressing bug #]: 942515
[User impact if declined]: Some users may be unable to access HTTPS sites
[Describe test coverage new/current, TreeHerder]: https://treeherder.mozilla.org/#/jobs?repo=mozilla-inbound&revision=dab1794bd567
[Risks and why]: Minimal.  Reverting to state as of release.
[String/UUID change made/needed]: N/A
Attachment #8704226 - Flags: approval-mozilla-release?
Attachment #8704226 - Flags: approval-mozilla-beta?
Attachment #8704226 - Flags: approval-mozilla-aurora?
I don't think we need to be in a rush to re-enable SHA-1 for ESR at the moment, but we have to make a call on that before we release 38.6.0esr.
Comment on attachment 8704226 [details]
MozReview Request: Bug 1236975 - Re-enable SHA-1 certificates r?keeler

Approved for uplift to aurora, beta, and release as this will help us assess the impact of this change on users.
Attachment #8704226 - Flags: approval-mozilla-release?
Attachment #8704226 - Flags: approval-mozilla-release+
Attachment #8704226 - Flags: approval-mozilla-beta?
Attachment #8704226 - Flags: approval-mozilla-beta+
Attachment #8704226 - Flags: approval-mozilla-aurora?
Attachment #8704226 - Flags: approval-mozilla-aurora+
This isn't affecting ESR after all; it's planned for 45esr instead.
Liz, do you think this matter needs our attention?
Please let us know if you consider there's something we should cover here.
Flags: qe-verify?
Flags: needinfo?(lhenry)

Comment 16

3 years ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/dab1794bd567
Status: ASSIGNED → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 46
Cornel, it would be great to verify the fix if you can reproduce the original problem. That means finding antivirus software or junkware that reproduces the original problem. I'm not sure we need to do that here. 

This reverts the pref back to what it was at the end of December, so I am not too worried about the risk of breaking something with this change.
Flags: needinfo?(lhenry)

Comment 19

3 years ago
OK, so this provides a short-term fix, and the long-term fix is the device vendor's job.  Is there a medium-term fix?  For example, could Firefox distinguish between the case where the root certificate is shipped with Firefox and when it is added by the user or system administrator, and only allow SHA-1 certs in the latter case?  (I think that's what Microsoft are doing.)

Or perhaps even make this an option on a per-root-certificate basis?  So the user or system administrator can take the man-in-the-middle device's root certificate and set a flag on it meaning "allow SHA-1 certificates signed by this certificate"?

Comment 20

3 years ago
[bugday-20160323]

Status: RESOLVED,FIXED -> UNVERIFIED

Comments:
STR: Not clear.
Developer specific testing

Component: 
Name			Firefox
Version			46.0b9
Build ID		20160322075646
Update Channel          beta
User Agent		Mozilla/5.0 (Windows NT 6.1; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
OS			Windows 7 SP1 x86_64

Expected Results: 
Developer specific testing

Actual Results: 
As expected
You need to log in before you can comment on or make changes to this bug.