Closed Bug 1766687 Opened 5 months ago Closed 4 months ago

remove support for sha-1 signatures in all certificates (including imported roots)

Categories

(Core :: Security: PSM, task, P1)

task

Tracking

()

RESOLVED FIXED
103 Branch
Tracking Status
relnote-firefox --- 103+
firefox103 --- fixed

People

(Reporter: keeler, Assigned: keeler)

References

(Blocks 1 open bug)

Details

(Whiteboard: [psm-assigned])

Attachments

(1 file)

Previously, sha-1 signatures in certificates was disabled by default, except for certificates issued by imported roots. Chrome had a similar policy, but this was removed in 71 [0]. Telemetry [1] indicates that some users do still encounter sha-1 signatures at a fraction of the rate of overall certificate errors, so forbidding all sha-1 signatures should have minimal compatibility impact.

[0] https://chromeenterprise.google/policies/#EnableSha1ForLocalAnchors
[1] https://mzl.la/3kg5J4j

Previously [0], support for SHA1 signatures in certificates was disabled by
default, except for certificates issued by imported roots. Chrome had a similar
policy, but this was removed in 71 [1]. Telemetry [2] indicates that some users
do still encounter SHA1 signatures at a fraction of the rate of overall
certificate errors, so forbidding all SHA1 signatures should have minimal
compatibility impact.

[0] https://bugzilla.mozilla.org/show_bug.cgi?id=1302140
[1] https://chromeenterprise.google/policies/#EnableSha1ForLocalAnchors
[2] https://mzl.la/3kg5J4j

Pushed by dkeeler@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/8ef044a6a1fe
remove support for SHA1 signatures in all certificates (including imported roots) r=jschanck
Flags: needinfo?(dkeeler)
Pushed by dkeeler@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/a4a8545b202f
remove support for SHA1 signatures in all certificates (including imported roots) r=jschanck
Status: NEW → RESOLVED
Closed: 4 months ago
Resolution: --- → FIXED
Target Milestone: --- → 103 Branch

Release Note Request (optional, but appreciated)
[Why is this notable]: Users previously had the option of enabling SHA-1 support in certificate signatures, which is not secure, but this change removes that option.
[Affects Firefox for Android]: yes
[Suggested wording]: Removed configuration option to allow SHA-1 signatures in certificates. SHA-1 signatures in certificates, long since determined to no longer be secure enough, are now not supported.
[Links (documentation, blog post, etc)]:

relnote-firefox: --- → ?

Note added to 103 nightly notes

You need to log in before you can comment on or make changes to this bug.