Closed Bug 1321114 Opened 8 years ago Closed 7 years ago

Remote SHA-1 shut-off

Categories

(Core :: Security: PSM, enhancement, P1)

Product:
Core
Component:
Security: PSM
Type:
enhancement

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: jcj, Assigned: keeler)

References

(
URL
)

Details

(Whiteboard: [psm-assigned]) 

Per the SHA-1 Shutoff Plan [1], we're going to use restartless-addon delivery to flip the "security.pki.sha1_enforcement_level" preference level added in Bug 1254667 to "ImportedRoot".

This is going to built on the code from the telemetry experiment in Bug 1311479.

[1] https://wiki.mozilla.org/Security/CryptoEngineering/SHA-1
Priority: -- → P1
Whiteboard: [psm-assigned]
Depends on: 1336616
Depends on: 1338228
Depends on: 1330043
Depends on: 1339662
SHA-1 is disabled for most all Firefox users as of last weekend in Bug 1339662. [1] Some percentage of Firefox users don't receive these kinds of updates, though, and will only have their preference changed when they upgrade to 52 (due to the preference change in Bug 1330043). ESR users will also get it in ESR 52.

Continued use of SHA-1 certificates issued through the Mozilla root program will require adjusting the about:config preference  security.pki.sha1_enforcement_level to either 4 (permit certificates pre-2016) or 0 (allow all SHA-1).

There's some more resources for server operators at FxSiteCompat.com [2], as well as other places around the Internet.

[1] https://blog.mozilla.org/security/2017/02/23/the-end-of-sha-1-on-the-public-web/
[2] https://www.fxsitecompat.com/en-CA/docs/2016/sha-1-certificates-issued-by-public-ca-will-no-longer-be-accepted/
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.