722199 - MD5 is used as the hash algorithm to check manifests (nsManifestCheck::Begin())

Status: RESOLVED WONTFIX

(Core :: Networking, defect)

Description

[Brian Smith (:briansmith, :bsmith, use NEEDINFO?)]

MD5 should basically not be used for anything now. Either SHA1 or stronger should be used, if a secure hash algorithm is needed, or something faster should be used, if security is not an issue.

Comment 1

[Honza Bambas (:mayhemer)]

Speed is the preference here.  There is no need for a secure check sum.  Probably just a CRC would be OK.  We only need to detect a 1 bit change.

Comment 2

[naldiello]

Here is my case:

I'm trying to create a CSR (Certificate Signing Request) in a website using Firefox. When Firefox creates the pair of keys, it signs the CSR using MD5WithRSAEncryption. Due to FIPS compliance, the Certification Authority does not accept md5WithRSAEncryption. The CSR must be signed with at least sha1WithRSAEncryption.

Mozilla published in 2010 (https://wiki.mozilla.org/CA:MD5and1024) that they will not continue using MD5 for signatures. Currently, it's still being use.

Additionally I have disabled MD5 (base on the information of other bugs) using about:config modifying and including the following configurations:

security.enable_md5_signatures = false
security.ssl3.rsa_rc4_128_md5 = false

Yet, the results still the same. Firefox signs CSR using MD5.

Comment 3

[Honza Bambas (:mayhemer)]

naldiello@gmail.com: are you sure you are at the right bug?

Comment 4

[Brian Smith (:briansmith, :bsmith, use NEEDINFO?)]

(In reply to Honza Bambas (:mayhemer) from comment #3)
> naldiello@gmail.com: are you sure you are at the right bug?

This is not the right bug for that. See bug 549460 instead.

Comment 5

[Patrick McManus [:mcmanus]]

wontfix non critical app cache bugs. its going away