Status

()

Core
Security: PSM
P1
enhancement
RESOLVED FIXED
6 months ago
3 months ago

People

(Reporter: jcj, Assigned: keeler)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [psm-assigned], URL)

(Reporter)

Description

6 months ago
Per the SHA-1 Shutoff Plan [1], we're going to use restartless-addon delivery to flip the "security.pki.sha1_enforcement_level" preference level added in Bug 1254667 to "ImportedRoot".

This is going to built on the code from the telemetry experiment in Bug 1311479.

[1] https://wiki.mozilla.org/Security/CryptoEngineering/SHA-1
(Assignee)

Updated

6 months ago
Priority: -- → P1
Whiteboard: [psm-assigned]
(Assignee)

Updated

5 months ago
Depends on: 1328718
(Reporter)

Updated

4 months ago
Depends on: 1336616
(Reporter)

Updated

4 months ago
Depends on: 1338228
(Reporter)

Updated

4 months ago
Depends on: 1330043
(Reporter)

Updated

3 months ago
Depends on: 1339662
(Reporter)

Comment 1

3 months ago
SHA-1 is disabled for most all Firefox users as of last weekend in Bug 1339662. [1] Some percentage of Firefox users don't receive these kinds of updates, though, and will only have their preference changed when they upgrade to 52 (due to the preference change in Bug 1330043). ESR users will also get it in ESR 52.

Continued use of SHA-1 certificates issued through the Mozilla root program will require adjusting the about:config preference  security.pki.sha1_enforcement_level to either 4 (permit certificates pre-2016) or 0 (allow all SHA-1).

There's some more resources for server operators at FxSiteCompat.com [2], as well as other places around the Internet.

[1] https://blog.mozilla.org/security/2017/02/23/the-end-of-sha-1-on-the-public-web/
[2] https://www.fxsitecompat.com/en-CA/docs/2016/sha-1-certificates-issued-by-public-ca-will-no-longer-be-accepted/
Status: NEW → RESOLVED
Last Resolved: 3 months ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.