Closed Bug 1236975 Opened 8 years ago Closed 8 years ago

Re-enable SHA-1 certificates

Categories

(Firefox :: Security, defect)

defect
Not set
normal

Tracking

()

RESOLVED FIXED
Firefox 46
Tracking Status
firefox42 --- unaffected
firefox43 + fixed
firefox44 + fixed
firefox45 + fixed
firefox46 --- fixed
firefox-esr38 --- unaffected
firefox-esr45 - fixed

People

(Reporter: rbarnes, Assigned: rbarnes)

References

Details

(Keywords: dev-doc-complete, site-compat)

Attachments

(1 file)

In Bug 942515, we configured Firefox to reject SHA-1 certificates with a notBefore date after 2016-01-01.  That appears to be causing some users with MitM software installed to be unable to access any HTTPS sites.

https://groups.google.com/d/topic/mozilla.dev.platform/ZNKxYgIk_Sg/discussion

In order to enable measurement of the scope of this risk, we should (temporarily) change the default preference to accept all valid SHA-1 certificates, regardless of issance date.
Comment on attachment 8704226 [details]
MozReview Request: Bug 1236975 - Re-enable SHA-1 certificates r?keeler

Review request updated; see interdiff: https://reviewboard.mozilla.org/r/29585/diff/1-2/
Attachment #8704226 - Attachment description: MozReview Request: Bug 1236975 - Re-enable SHA-1 certificates → MozReview Request: Bug 1236975 - Re-enable SHA-1 certificates r?keeler
Attachment #8704226 - Flags: review?(dkeeler)
Attachment #8704226 - Flags: review?(dkeeler) → review+
Comment on attachment 8704226 [details]
MozReview Request: Bug 1236975 - Re-enable SHA-1 certificates r?keeler

https://reviewboard.mozilla.org/r/29585/#review26409
Attachment #8704226 - Flags: review+
Comment on attachment 8704226 [details]
MozReview Request: Bug 1236975 - Re-enable SHA-1 certificates r?keeler

Approval Request Comment
[Feature/regressing bug #]: 942515
[User impact if declined]: Some users may be unable to access HTTPS sites
[Describe test coverage new/current, TreeHerder]: https://treeherder.mozilla.org/#/jobs?repo=mozilla-inbound&revision=dab1794bd567
[Risks and why]: Minimal.  Reverting to state as of release.
[String/UUID change made/needed]: N/A
Attachment #8704226 - Flags: approval-mozilla-release?
Attachment #8704226 - Flags: approval-mozilla-beta?
Attachment #8704226 - Flags: approval-mozilla-aurora?
I don't think we need to be in a rush to re-enable SHA-1 for ESR at the moment, but we have to make a call on that before we release 38.6.0esr.
Comment on attachment 8704226 [details]
MozReview Request: Bug 1236975 - Re-enable SHA-1 certificates r?keeler

Approved for uplift to aurora, beta, and release as this will help us assess the impact of this change on users.
Attachment #8704226 - Flags: approval-mozilla-release?
Attachment #8704226 - Flags: approval-mozilla-release+
Attachment #8704226 - Flags: approval-mozilla-beta?
Attachment #8704226 - Flags: approval-mozilla-beta+
Attachment #8704226 - Flags: approval-mozilla-aurora?
Attachment #8704226 - Flags: approval-mozilla-aurora+
This isn't affecting ESR after all; it's planned for 45esr instead.
Liz, do you think this matter needs our attention?
Please let us know if you consider there's something we should cover here.
Flags: qe-verify?
Flags: needinfo?(lhenry)
https://hg.mozilla.org/mozilla-central/rev/dab1794bd567
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 46
Cornel, it would be great to verify the fix if you can reproduce the original problem. That means finding antivirus software or junkware that reproduces the original problem. I'm not sure we need to do that here. 

This reverts the pref back to what it was at the end of December, so I am not too worried about the risk of breaking something with this change.
Flags: needinfo?(lhenry)
OK, so this provides a short-term fix, and the long-term fix is the device vendor's job.  Is there a medium-term fix?  For example, could Firefox distinguish between the case where the root certificate is shipped with Firefox and when it is added by the user or system administrator, and only allow SHA-1 certs in the latter case?  (I think that's what Microsoft are doing.)

Or perhaps even make this an option on a per-root-certificate basis?  So the user or system administrator can take the man-in-the-middle device's root certificate and set a flag on it meaning "allow SHA-1 certificates signed by this certificate"?
[bugday-20160323]

Status: RESOLVED,FIXED -> UNVERIFIED

Comments:
STR: Not clear.
Developer specific testing

Component: 
Name			Firefox
Version			46.0b9
Build ID		20160322075646
Update Channel          beta
User Agent		Mozilla/5.0 (Windows NT 6.1; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
OS			Windows 7 SP1 x86_64

Expected Results: 
Developer specific testing

Actual Results: 
As expected
You need to log in before you can comment on or make changes to this bug.