Thursday, September 29, 2016

Mozilla pushes to drop Certificates with SHA-1 based Signature Algorithms

A lot of secure websites are using certificates based on a hash algorithm called SHA-1.

Integrity of Certificates with SHA-1 are phased out

To any website, the veracity of this algorithm is essential in securing the website 100% cause security holes in these algorithms can cause tremendous problems where cyber attackers can obtain fraudulent certificates.

Mozilla and other browser vendors are now pushing to phase out the SHA-1 hash algorithm. Why?

This algorithm is in the market for twenty years but in the last few years successful attacks targeting properties of SHA-1 showed that it is more than only back-dated. In a report published by Mozilla is a list of various violations that go against CA/Browser Forum’s baseline requirements. 

After a deep investigation of WoSign and StartCom, besides the back-dating of SHA-1 certs, WoSign has been accused of miss-issuing certificates for GitHub to a customer, where arbitrary domain names have been included in certs without prior validation.

 “Mozilla’s CA team has lost confidence in the ability of WoSign/StartCom to faithfully and competently discharge the functions of a CA,” stated in the report by Mozilla.  “Therefore we propose that, starting on a date to be determined in the near future, Mozilla products will no longer trust newly-issued certificates issued by either of these two CA brands.” – Mozilla report.

If customers have no faith in the validity of CA certificate system, the Internet will experience big problems. 

Having trustful  CA certificate system is essential to keep the Internet up and running.

“Mozilla believes that continued public trust in the correct working of the CA certificate system is vital to the health of the Internet, and we will not hesitate to take steps such as those outlined above to maintain that public trust,” Mozilla said.

Even previously SHA-1 has been considered as a weak hash therefore Mozilla team advices Certification Authorities (CAs) and Web site administrators to upgrade their certificates that contain hash functions that are much stronger and reliable such as: SHA-256, SHA-384, or SHA-512.

“We consider the following algorithms and key sizes to be acceptable and supported in Mozilla products: SHA-1 (until a practical collision attack against SHA-1 certificates is imminent) …” NIST Guidance recommended that SHA-1 certificates should not be trusted beyond 2014. However, there are still many Web sites that are using SSL certificates with SHA-1 based signatures, so we agree with the positions of Microsoft and Google that SHA-1 certificates should not be issued after January 1, 2016, or trusted after January 1, 2017.”- Mozilla’s CA Certificate Maintenance Policy section

Therefore, stop everything you do and go check your SSL and Code Signing certificates and if they use the SHA-1 hash algorithm, replace it immediately and update it to a stronger one.

Moreover, in order to not experience any problems in the future install SSL security tool and stay worry free. 

1 comment: