Closed
Bug 1236975
Opened 8 years ago
Closed 8 years ago
Re-enable SHA-1 certificates
Categories
(Firefox :: Security, defect)
Firefox
Security
Tracking
()
RESOLVED
FIXED
Firefox 46
People
(Reporter: rbarnes, Assigned: rbarnes)
References
Details
(Keywords: dev-doc-complete, site-compat)
Attachments
(1 file)
58 bytes,
text/x-review-board-request
|
keeler
:
review+
rbarnes
:
review+
lizzard
:
approval-mozilla-aurora+
lizzard
:
approval-mozilla-beta+
lizzard
:
approval-mozilla-release+
|
Details |
In Bug 942515, we configured Firefox to reject SHA-1 certificates with a notBefore date after 2016-01-01. That appears to be causing some users with MitM software installed to be unable to access any HTTPS sites. https://groups.google.com/d/topic/mozilla.dev.platform/ZNKxYgIk_Sg/discussion In order to enable measurement of the scope of this risk, we should (temporarily) change the default preference to accept all valid SHA-1 certificates, regardless of issance date.
Assignee | ||
Comment 1•8 years ago
|
||
Review commit: https://reviewboard.mozilla.org/r/29585/diff/#index_header See other reviews: https://reviewboard.mozilla.org/r/29585/
Assignee | ||
Comment 2•8 years ago
|
||
Comment on attachment 8704226 [details] MozReview Request: Bug 1236975 - Re-enable SHA-1 certificates r?keeler Review request updated; see interdiff: https://reviewboard.mozilla.org/r/29585/diff/1-2/
Attachment #8704226 -
Attachment description: MozReview Request: Bug 1236975 - Re-enable SHA-1 certificates → MozReview Request: Bug 1236975 - Re-enable SHA-1 certificates r?keeler
Attachment #8704226 -
Flags: review?(dkeeler)
Tracked for 44 and 45.
status-firefox44:
--- → affected
status-firefox45:
--- → affected
tracking-firefox44:
--- → +
tracking-firefox45:
--- → +
Attachment #8704226 -
Flags: review?(dkeeler) → review+
Comment on attachment 8704226 [details] MozReview Request: Bug 1236975 - Re-enable SHA-1 certificates r?keeler https://reviewboard.mozilla.org/r/29585/#review26395 r=me :(
Assignee | ||
Comment 5•8 years ago
|
||
Comment on attachment 8704226 [details] MozReview Request: Bug 1236975 - Re-enable SHA-1 certificates r?keeler https://reviewboard.mozilla.org/r/29585/#review26409
Attachment #8704226 -
Flags: review+
Assignee | ||
Comment 7•8 years ago
|
||
Comment on attachment 8704226 [details] MozReview Request: Bug 1236975 - Re-enable SHA-1 certificates r?keeler Approval Request Comment [Feature/regressing bug #]: 942515 [User impact if declined]: Some users may be unable to access HTTPS sites [Describe test coverage new/current, TreeHerder]: https://treeherder.mozilla.org/#/jobs?repo=mozilla-inbound&revision=dab1794bd567 [Risks and why]: Minimal. Reverting to state as of release. [String/UUID change made/needed]: N/A
Attachment #8704226 -
Flags: approval-mozilla-release?
Attachment #8704226 -
Flags: approval-mozilla-beta?
Attachment #8704226 -
Flags: approval-mozilla-aurora?
Comment 8•8 years ago
|
||
I don't think we need to be in a rush to re-enable SHA-1 for ESR at the moment, but we have to make a call on that before we release 38.6.0esr.
status-firefox-esr38:
--- → ?
tracking-firefox-esr38:
--- → ?
Updated•8 years ago
|
status-firefox43:
--- → affected
tracking-firefox43:
--- → +
Comment 9•8 years ago
|
||
Comment on attachment 8704226 [details] MozReview Request: Bug 1236975 - Re-enable SHA-1 certificates r?keeler Approved for uplift to aurora, beta, and release as this will help us assess the impact of this change on users.
Attachment #8704226 -
Flags: approval-mozilla-release?
Attachment #8704226 -
Flags: approval-mozilla-release+
Attachment #8704226 -
Flags: approval-mozilla-beta?
Attachment #8704226 -
Flags: approval-mozilla-beta+
Attachment #8704226 -
Flags: approval-mozilla-aurora?
Attachment #8704226 -
Flags: approval-mozilla-aurora+
Comment 10•8 years ago
|
||
This isn't affecting ESR after all; it's planned for 45esr instead.
status-firefox-esr45:
--- → affected
tracking-firefox-esr45:
--- → ?
https://hg.mozilla.org/releases/mozilla-release/rev/d83046b974f3 I'll uplift to aurora/beta in a bit.
status-firefox-esr45:
affected → ---
tracking-firefox-esr45:
? → ---
Oops, midaired.
status-firefox-esr45:
--- → affected
tracking-firefox-esr38:
? → ---
tracking-firefox-esr45:
--- → ?
https://hg.mozilla.org/releases/mozilla-beta/rev/fdaceb3b6338 https://hg.mozilla.org/releases/mozilla-aurora/rev/80c32daf6812
Comment 14•8 years ago
|
||
Liz, do you think this matter needs our attention? Please let us know if you consider there's something we should cover here.
Flags: qe-verify?
Flags: needinfo?(lhenry)
Updated•8 years ago
|
Updated•8 years ago
|
Keywords: dev-doc-needed,
site-compat
Comment 15•8 years ago
|
||
Updated the site compat doc... https://www.fxsitecompat.com/en-US/docs/2015/sha-1-based-certificates-with-validity-period-from-2016-will-not-be-validated/
Keywords: dev-doc-needed → dev-doc-complete
Comment 16•8 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/dab1794bd567
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
status-firefox46:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → Firefox 46
Comment 17•8 years ago
|
||
bugherder uplift |
https://hg.mozilla.org/releases/mozilla-b2g44_v2_5/rev/fdaceb3b6338
status-b2g-v2.5:
--- → fixed
Comment 18•8 years ago
|
||
Cornel, it would be great to verify the fix if you can reproduce the original problem. That means finding antivirus software or junkware that reproduces the original problem. I'm not sure we need to do that here. This reverts the pref back to what it was at the end of December, so I am not too worried about the risk of breaking something with this change.
status-b2g-v2.5:
fixed → ---
Flags: needinfo?(lhenry)
Comment 19•8 years ago
|
||
OK, so this provides a short-term fix, and the long-term fix is the device vendor's job. Is there a medium-term fix? For example, could Firefox distinguish between the case where the root certificate is shipped with Firefox and when it is added by the user or system administrator, and only allow SHA-1 certs in the latter case? (I think that's what Microsoft are doing.) Or perhaps even make this an option on a per-root-certificate basis? So the user or system administrator can take the man-in-the-middle device's root certificate and set a flag on it meaning "allow SHA-1 certificates signed by this certificate"?
Updated•8 years ago
|
Comment 20•8 years ago
|
||
[bugday-20160323] Status: RESOLVED,FIXED -> UNVERIFIED Comments: STR: Not clear. Developer specific testing Component: Name Firefox Version 46.0b9 Build ID 20160322075646 Update Channel beta User Agent Mozilla/5.0 (Windows NT 6.1; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0 OS Windows 7 SP1 x86_64 Expected Results: Developer specific testing Actual Results: As expected
Updated•8 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•