Deprecate SHA-1 to 100% of Beta and Release Users

RESOLVED FIXED

Status

()

Core
Security: PSM
P1
enhancement
RESOLVED FIXED
4 months ago
4 months ago

People

(Reporter: jcj, Assigned: keeler)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [psm-assigned][go-faster-system-addon], URL)

Attachments

(3 attachments)

(Follow on to Bug 1328718, Bug 1336616, and Bug 1338228)

Twelve years ago yesterday, the research team of Xiaoyun Wang, Yiqun Lisa Yin, and Hongbo Yu announced that they had broken [1] SHA-1 for the first time. [2]

Per the SHA-1 Shutoff Plan [3], we're going to update the system addon's Release-channel test threshold to 100% for the week of 20 Feb 2017. The resulting addon-config will be 100% cohorts for both release and beta, permitting a 100% cohort via Go Faster.

[1] Well, found an enormous speedup from 2^160 to 2^69
[2] Wang, Xiaoyun, Yiqun Lisa Yin, and Hongbo Yu. "Collision search attacks on SHA1." (2005)
[3] https://wiki.mozilla.org/Security/CryptoEngineering/SHA-1
(Assignee)

Comment 1

4 months ago
Created attachment 8837858 [details] [diff] [review]
1339662-disable-sha1.diff
Attachment #8837858 - Flags: review?(jjones)
Comment on attachment 8837858 [details] [diff] [review]
1339662-disable-sha1.diff

Review of attachment 8837858 [details] [diff] [review]:
-----------------------------------------------------------------

With this patch, a shatter'd visage is obscured,
Its' sneer of cold command in history orphaned.
That one whose results were long once, and secure,
But now resides, antique, imprinted on things best forgotten.
Attachment #8837858 - Flags: review?(jjones) → review+
(Assignee)

Comment 3

4 months ago
Created attachment 8838252 [details]
disableSHA1rollout.xpi

Jason, would you sign this please? Thanks!
Flags: needinfo?(jthomas)

Comment 4

4 months ago
Created attachment 8838297 [details]
disableSHA1rollout.xpi signed

Please see attached.
Flags: needinfo?(jthomas)
(Assignee)

Comment 5

4 months ago
Thanks!
Justin, can you confirm attachment 8838297 [details] works as expected? (It's supposed to disable SHA-1 100% of the time in beta and release). Thanks!
Flags: needinfo?(jwilliams)
(In reply to Jason Thomas [:jason] from comment #4)
> Created attachment 8838297 [details]
> disableSHA1rollout.xpi signed
> 
> Please see attached.
Could you please also upload this to https://ftp.mozilla.org/pub/system-addons/disableSHA1rollout/?

I'm waiting for access in bug 1312887 comment 4
Flags: needinfo?(jthomas)
Everything looks good and works as expected David.
Flags: needinfo?(jwilliams)
(Assignee)

Comment 8

4 months ago
Thanks!

Comment 9

4 months ago
(In reply to Cory Price [:ckprice] from comment #6)
> (In reply to Jason Thomas [:jason] from comment #4)
> > Created attachment 8838297 [details]
> > disableSHA1rollout.xpi signed
> > 
> > Please see attached.
> Could you please also upload this to
> https://ftp.mozilla.org/pub/system-addons/disableSHA1rollout/?
> 
> I'm waiting for access in bug 1312887 comment 4

Done. https://ftp.mozilla.org/pub/system-addons/disableSHA1rollout/disableSHA1rollout.xpi
Flags: needinfo?(jthomas)
Error reporting data shows no uptick in volume since we've turned things on [1].

Per that and the schedule [2], I think this is ready to get into the GoFaster queue, ckprice.

[1] https://i.have.insufficient.coffee/deprecation-20170221.png
[2] https://wiki.mozilla.org/Security/CryptoEngineering/SHA-1#Planned_Sampled_Rollout_Timeline
Flags: needinfo?(cprice)
And 12 years and 9 days after the first major speedup in cryptanalysis of SHA-1 (Comment #0), Google has announced they forced a collision. [1]

[1] https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html

Comment 12

4 months ago
(In reply to J.C. Jones [:jcj] from comment #0)
> [1] Well, found an enormous speedup from 2^160 to 2^69

For the sake of correctness, it's a speedup from 2^80 to 2^69. The birthday paradox is still a factor, and this is a collision attack, not a second preimage attack.
(In reply to eltrai from comment #12)
> For the sake of correctness, it's a speedup from 2^80 to 2^69. The birthday
> paradox is still a factor, and this is a collision attack, not a second
> preimage attack.

The original poster is indebted for your correction, for of course you're right. :)
From discussion in irc with jcj and jcristau, let's move ahead with this on release 51. Good timing.....
This is up on stage. /cc Thomas from data.
Flags: needinfo?(cprice)
Whiteboard: [psm-assigned] → [psm-assigned][go-faster-system-addon]
Duplicate of this bug: 1342290

Comment 17

4 months ago
Have you started rolling this out on a "test" basis to non beta firefox 51 users?

I ask as two people are having trouble accessing an December 2013 sha1 certificated that still has several months until it expires. Neither believe that they signed up for the Firefox beta Program, however their firefox 51.0.1 has disableSHA1.rollout.cohort set to "test" unlike the other 51.0.1 users whom either don't have the that preference name or have it set to "control".
(In reply to Alexander Kohr from comment #17)
> Have you started rolling this out on a "test" basis to non beta firefox 51
> users?

Yes, this was released Friday to all Firefox 51 users. [1] Some percentage of Firefox users don't receive these kinds of updates, though, and will only have their preference changed when they upgrade to 52. ESR users will get it in ESR 52.

Continued use of SHA-1 certificates issued through the Mozilla root program will require adjusting the security.pki.sha1_enforcement_level to either 4 (permit certificates pre-2016) or 0 (allow all SHA-1).

[1] https://blog.mozilla.org/security/2017/02/23/the-end-of-sha-1-on-the-public-web/
Status: ASSIGNED → RESOLVED
Last Resolved: 4 months ago
Resolution: --- → FIXED

Comment 19

4 months ago
Thanks You. My initial web search seem to have missed the Febuary 23rd 2017 blog post about this at https://blog.mozilla.org/security/. I'll be doing the right thing a pushing for the server to update to be updated to a sha2 certificate.
You need to log in before you can comment on or make changes to this bug.