If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Broken sites due to SHA1-encoded intermediate certs



Tech Evangelism
7 months ago
7 months ago


(Reporter: mwobensmith, Unassigned)


Firefox 53

Firefox Tracking Flags

(Not tracked)



(1 attachment)

Created attachment 8837360 [details]

Sites that have failed to update their SHA1-encoded end-entity certs will soon be broken in Fx53. This is captured in bug 1330043.

Sites that have updated their end-entity certs, but still chain to SHA1-encoded *intermediate* certs, will also be broken in Fx53. This might be unexpected to some site owners. These sites may or may not work in latest Chrome, depending on Chrome's support of AIA-chasing and race conditions resulting from certificate fetching. 

This bug is to alert evangelists to a list of sites surfaced by the TLS Canary that - at time of testing (2017-02-09) - seemed to fit the above description. Keep in mind that sites are currently upgrading and some may have already fixed the problem. 

Also, many sites operate on both a TLD and with a "www" prefix, and some sites often have one of these broken. The attached list specifies exactly which domain is affected, as well as the site rank assigned to it.


7 months ago
Blocks: 1330043


7 months ago
Component: Security: PSM → Desktop
Product: Core → Tech Evangelism
Version: 53 Branch → Firefox 53
You need to log in before you can comment on or make changes to this bug.