Treat signed S/MIME messages that use a SHA1 digest as insecure
Categories
(MailNews Core :: Security: S/MIME, enhancement)
Tracking
(Not tracked)
People
(Reporter: KaiE, Assigned: KaiE)
References
Details
Attachments
(1 file)
Let's see when we can treat signed S/MIME messages that use a SHA1 digest as insecure.
Updated•2 years ago
|
Comment 1•1 year ago
|
||
https://en.wikipedia.org/wiki/SHA-1:
"Since 2005, SHA-1 has not been considered secure against well-funded opponents;[11] as of 2010 many organizations have recommended its replacement.[12][9][13] NIST formally deprecated use of SHA-1 in 2011 and disallowed its use for digital signatures in 2013"
Assignee | ||
Comment 2•1 year ago
|
||
Depends on D166957
Updated•1 year ago
|
Assignee | ||
Comment 4•1 year ago
|
||
My thinking was, let's Beta 112 have reject MD5, only, and let's reject SHA1 in 113.
This way we could more easily distinguish if someone is affected by MD5 or SHA1.
Assignee | ||
Updated•1 year ago
|
Comment 5•1 year ago
|
||
This doesn't apply properly, even if I convince moz-phab not to download the earlier patch in the stack which has already landed.
Assignee | ||
Comment 6•1 year ago
|
||
Ok sorry, thanks for trying, there was a whitespace fix in the base patch.
Pushed by kaie@kuix.de:
https://hg.mozilla.org/comm-central/rev/4dd8587a0684
Reject S/MIME signatures that use the SHA-1 hash algorithm. r=mkmelin
Assignee | ||
Updated•1 year ago
|
Description
•