In an unexpected move, when browser vendor Mozilla released Firefox 43.0.4 on Jan. 6, it re-enabled support for newly issued SHA-1(Secure Hash Algorithm 1) security certificates. Mozilla had previously set Firefox to reject new SHA-1 signed Secure Sockets Layer/Transport Layer Security certificates as of Jan. 1.
“For Firefox users with unfiltered access to the Internet, this change probably went unnoticed, since there simply aren’t that many new SHA-1 certs being used,” Richard Barnes, Firefox security lead at Mozilla wrote in a blog post. “However, for Firefox users who are behind certain ‘man-in-the-middle’ devices (including some security scanners and antivirus products), this change removed their ability to access HTTPS web sites.”
The issue of SHA-1 certificate support is a large one, with SSL/TLS certificate authorities moving to stop all new SHA-1 certificate issuances as of Jan. 1.
Although Mozilla is reintroducing SHA-1 support in Firefox 43, that doesn’t mean it’s going to support SHA-1 for the long term. Barnes emphasized that Mozilla plans on removing SHA-1 support from Firefox in the future.
Mozilla’s SHA-1 support reversal is a surprising move, according to Kevin Bocek, vice president of Security Strategy & Threat Intelligence at Venafi.
“This is very shocking, given Mozilla has been a champion for security for so long,” Bocek told eWEEK. “Re-enabling SHA-1 certificates is actually backtracking and not helping anyone.”
Also surprised by Mozilla’s SHA-1 support reversal was Wayne Thayer, general manager of security products at Go Daddy and a member of the CA Security Council. Thayer said he finds it is a bit surprising that Mozilla apparently didn’t anticipate this problem, but not surprising that it’s reacting by rolling back the change.
“When their users can’t access Websites, they simply switch browsers, so sticking with this policy does more harm than good to both Mozilla and their ability to raise the bar on security,” he said. “I don’t think Mozilla is giving up on their position, just being practical.”
Matthew Prince, co-founder and CEO at CloudFlare, is not surprised, however, by Mozilla’s move to support newly issued SHA-1 certificates. There are a number of antivirus vendors that proxy local traffic and only support SHA-1, he said.
“Users of these antivirus solutions in combination with Firefox were seeing errors,” Prince told eWEEK. “Unfortunately, users are quick to blame the browser rather than their antiquated antivirus software.”
The SHA-1 signed digital certificate issue will be a concern throughout 2016 and possibly beyond. Bocek noted that it has been almost a decade since the National Institute of Standards and Technology (NIST) originally announced that everyone should transition from using SHA-1, but there has been resistance from large corporations for a long time.
“Older browsers may not support SHA-2 yet, so they don’t want to lose visibility on those sites, but it’s widely known that SHA-1 is vulnerable,” Bocek said. “If Websites don’t update to SHA-2 soon, then users will have a higher chance of being redirected to a spoofed or fake Website, and it will be harder to determine secure connections.”
Thayer emphasized that the Jan. 1, 2016, deadline from the SSL/TLS certificate authorities applies only to the issuance of new certificates and not trust.
“There are hundreds of thousands of SHA-1 certs out there that were issued before 2016, and they’re still trusted by browsers, perhaps with warnings,” Thayer said.
The specific dates for when browsers will officially drop all SHA-1 support vary, though it’s expected that by Jan. 1, 2017, no modern browser will provide any SHA-1 support. Prince said that browser vendors have set timelines over the course of 2016 to deprecate SHA-1.
“Whoever moves first will likely see some drop in market share as users who encounter errors will be quick to try another browser,” Prince said. “It’s important for browser vendors to deprecate SHA-1, but make no mistake, there will be significant pain as they do so.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.