MD5 is used as the hash algorithm to check manifests (nsManifestCheck::Begin())

RESOLVED WONTFIX

Status

()

Core
Networking
RESOLVED WONTFIX
6 years ago
2 years ago

People

(Reporter: briansmith, Unassigned)

Tracking

Trunk
x86_64
Windows 7
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

MD5 should basically not be used for anything now. Either SHA1 or stronger should be used, if a secure hash algorithm is needed, or something faster should be used, if security is not an issue.
Summary: MD5 is used as the hah algorithm to check manifests (nsManifestCheck::Begin()) → MD5 is used as the hash algorithm to check manifests (nsManifestCheck::Begin())
Speed is the preference here.  There is no need for a secure check sum.  Probably just a CRC would be OK.  We only need to detect a 1 bit change.

Comment 2

5 years ago
Here is my case:

I'm trying to create a CSR (Certificate Signing Request) in a website using Firefox. When Firefox creates the pair of keys, it signs the CSR using MD5WithRSAEncryption. Due to FIPS compliance, the Certification Authority does not accept md5WithRSAEncryption. The CSR must be signed with at least sha1WithRSAEncryption.

Mozilla published in 2010 (https://wiki.mozilla.org/CA:MD5and1024) that they will not continue using MD5 for signatures. Currently, it's still being use.

Additionally I have disabled MD5 (base on the information of other bugs) using about:config modifying and including the following configurations:

security.enable_md5_signatures = false
security.ssl3.rsa_rc4_128_md5 = false

Yet, the results still the same. Firefox signs CSR using MD5.
naldiello@gmail.com: are you sure you are at the right bug?
(In reply to Honza Bambas (:mayhemer) from comment #3)
> naldiello@gmail.com: are you sure you are at the right bug?

This is not the right bug for that. See bug 549460 instead.
wontfix non critical app cache bugs. its going away
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.