Closed Bug 1532292 Opened 5 years ago Closed 1 year ago

Treat signed S/MIME messages that use a SHA1 digest as insecure

Categories

(MailNews Core :: Security: S/MIME, enhancement)

Product:
MailNews Core
Component:
Security: S/MIME
Type:
enhancement

Tracking

(Not tracked)

Status:
RESOLVED FIXED
Milestone:
113 Branch

People

(Reporter: KaiE, Assigned: KaiE)

References

Details

Attachments

(1 file)

Bug 1532292 - Reject S/MIME signatures that use the SHA-1 hash algorithm. r=mkmelin
48 bytes, text/x-phabricator-request
Details | Review

Let's see when we can treat signed S/MIME messages that use a SHA1 digest as insecure.

Severity: normal → S3

https://en.wikipedia.org/wiki/SHA-1:
"Since 2005, SHA-1 has not been considered secure against well-funded opponents;[11] as of 2010 many organizations have recommended its replacement.[12][9][13] NIST formally deprecated use of SHA-1 in 2011 and disallowed its use for digital signatures in 2013"

See Also: → 84213
Depends on: 1815246
Assignee: nobody → kaie
Status: NEW → ASSIGNED

Ready to land?

Flags: needinfo?(kaie)

My thinking was, let's Beta 112 have reject MD5, only, and let's reject SHA1 in 113.
This way we could more easily distinguish if someone is affected by MD5 or SHA1.

Flags: needinfo?(kaie)
Keywords: checkin-needed-tb

This doesn't apply properly, even if I convince moz-phab not to download the earlier patch in the stack which has already landed.

Flags: needinfo?(kaie)
Keywords: checkin-needed-tb

Ok sorry, thanks for trying, there was a whitespace fix in the base patch.

Flags: needinfo?(kaie)

Pushed by kaie@kuix.de:
https://hg.mozilla.org/comm-central/rev/4dd8587a0684
Reject S/MIME signatures that use the SHA-1 hash algorithm. r=mkmelin

Status: ASSIGNED → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
Target Milestone: --- → 113 Branch
See Also: → 1843526
Blocks: 1856961
See Also: → 1854592
Regressions: 1854592
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: