Closed Bug 1339662 Opened 7 years ago Closed 7 years ago

Deprecate SHA-1 to 100% of Beta and Release Users

Categories

(Core :: Security: PSM, enhancement, P1)

Product:
Core
Component:
Security: PSM
Type:
enhancement

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: jcj, Assigned: keeler)

References

(
URL
)

Details

(Whiteboard: [psm-assigned][go-faster-system-addon])

Attachments

(3 files)

1339662-disable-sha1.diff
2.44 KB, patch
jcj
: review+
Details | Diff | Splinter Review
disableSHA1rollout.xpi
4.77 KB, application/octet-stream
Details
disableSHA1rollout.xpi signed
8.65 KB, application/octet-stream
Details 
(Follow on to Bug 1328718, Bug 1336616, and Bug 1338228)

Twelve years ago yesterday, the research team of Xiaoyun Wang, Yiqun Lisa Yin, and Hongbo Yu announced that they had broken [1] SHA-1 for the first time. [2]

Per the SHA-1 Shutoff Plan [3], we're going to update the system addon's Release-channel test threshold to 100% for the week of 20 Feb 2017. The resulting addon-config will be 100% cohorts for both release and beta, permitting a 100% cohort via Go Faster.

[1] Well, found an enormous speedup from 2^160 to 2^69
[2] Wang, Xiaoyun, Yiqun Lisa Yin, and Hongbo Yu. "Collision search attacks on SHA1." (2005)
[3] https://wiki.mozilla.org/Security/CryptoEngineering/SHA-1
Comment on attachment 8837858 [details] [diff] [review]
1339662-disable-sha1.diff

Review of attachment 8837858 [details] [diff] [review]:
-----------------------------------------------------------------

With this patch, a shatter'd visage is obscured,
Its' sneer of cold command in history orphaned.
That one whose results were long once, and secure,
But now resides, antique, imprinted on things best forgotten.
Attachment #8837858 - Flags: review?(jjones) → review+
Attached file disableSHA1rollout.xpi 
Jason, would you sign this please? Thanks!
Flags: needinfo?(jthomas)
Please see attached.
Flags: needinfo?(jthomas)
Thanks!
Justin, can you confirm attachment 8838297 [details] works as expected? (It's supposed to disable SHA-1 100% of the time in beta and release). Thanks!
Flags: needinfo?(jwilliams)
(In reply to Jason Thomas [:jason] from comment #4)
> Created attachment 8838297 [details]
> disableSHA1rollout.xpi signed
> 
> Please see attached.
Could you please also upload this to https://ftp.mozilla.org/pub/system-addons/disableSHA1rollout/?

I'm waiting for access in bug 1312887 comment 4
Flags: needinfo?(jthomas)
Everything looks good and works as expected David.
Flags: needinfo?(jwilliams)
(In reply to Cory Price [:ckprice] from comment #6)
> (In reply to Jason Thomas [:jason] from comment #4)
> > Created attachment 8838297 [details]
> > disableSHA1rollout.xpi signed
> > 
> > Please see attached.
> Could you please also upload this to
> https://ftp.mozilla.org/pub/system-addons/disableSHA1rollout/?
> 
> I'm waiting for access in bug 1312887 comment 4

Done. https://ftp.mozilla.org/pub/system-addons/disableSHA1rollout/disableSHA1rollout.xpi
Flags: needinfo?(jthomas)
Error reporting data shows no uptick in volume since we've turned things on [1].

Per that and the schedule [2], I think this is ready to get into the GoFaster queue, ckprice.

[1] https://i.have.insufficient.coffee/deprecation-20170221.png
[2] https://wiki.mozilla.org/Security/CryptoEngineering/SHA-1#Planned_Sampled_Rollout_Timeline
Flags: needinfo?(cprice)
And 12 years and 9 days after the first major speedup in cryptanalysis of SHA-1 (Comment #0), Google has announced they forced a collision. [1]

[1] https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html
(In reply to J.C. Jones [:jcj] from comment #0)
> [1] Well, found an enormous speedup from 2^160 to 2^69

For the sake of correctness, it's a speedup from 2^80 to 2^69. The birthday paradox is still a factor, and this is a collision attack, not a second preimage attack.
(In reply to eltrai from comment #12)
> For the sake of correctness, it's a speedup from 2^80 to 2^69. The birthday
> paradox is still a factor, and this is a collision attack, not a second
> preimage attack.

The original poster is indebted for your correction, for of course you're right. :)
From discussion in irc with jcj and jcristau, let's move ahead with this on release 51. Good timing.....
This is up on stage. /cc Thomas from data.
Flags: needinfo?(cprice)
Whiteboard: [psm-assigned] → [psm-assigned][go-faster-system-addon]
Have you started rolling this out on a "test" basis to non beta firefox 51 users?

I ask as two people are having trouble accessing an December 2013 sha1 certificated that still has several months until it expires. Neither believe that they signed up for the Firefox beta Program, however their firefox 51.0.1 has disableSHA1.rollout.cohort set to "test" unlike the other 51.0.1 users whom either don't have the that preference name or have it set to "control".
(In reply to Alexander Kohr from comment #17)
> Have you started rolling this out on a "test" basis to non beta firefox 51
> users?

Yes, this was released Friday to all Firefox 51 users. [1] Some percentage of Firefox users don't receive these kinds of updates, though, and will only have their preference changed when they upgrade to 52. ESR users will get it in ESR 52.

Continued use of SHA-1 certificates issued through the Mozilla root program will require adjusting the security.pki.sha1_enforcement_level to either 4 (permit certificates pre-2016) or 0 (allow all SHA-1).

[1] https://blog.mozilla.org/security/2017/02/23/the-end-of-sha-1-on-the-public-web/
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Thanks You. My initial web search seem to have missed the Febuary 23rd 2017 blog post about this at https://blog.mozilla.org/security/. I'll be doing the right thing a pushing for the server to update to be updated to a sha2 certificate.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: