Categories: CA Program Security

Phasing Out Certificates with SHA-1 based Signature Algorithms

Many of the certificates used by secure websites today are signed using algorithms based on a hash algorithm called SHA-1. The integrity of the hash algorithm used in signing a certificate is a critical element in the security of the certificate. Weaknesses in hash algorithms can lead to situations in which attackers can obtain fraudulent certificates. Mozilla, along with other browser vendors, is working on a plan to phase out support for the SHA-1 hash algorithm.

SHA-1 is nearly twenty years old, and is beginning to show its age. In the last few years, collision attacks undermining some properties of SHA-1 have been getting close to being practical. Collision attacks against the older MD5 hash algorithm have been used to obtain fraudulent certificates, so the improving feasibility of collision attacks against SHA-1 is concerning. In order to avoid the need for a rapid transition should a critical attack against SHA-1 be discovered, we are proactively phasing out SHA-1.

We encourage Certification Authorities (CAs) and Web site administrators to upgrade their certificates to use signature algorithms with hash functions that are stronger than SHA-1, such as SHA-256, SHA-384, or SHA-512. Mozilla’s CA Certificate Maintenance Policy section 8 says: “We consider the following algorithms and key sizes to be acceptable and supported in Mozilla products: SHA-1 (until a practical collision attack against SHA-1 certificates is imminent) …” NIST Guidance recommended that SHA-1 certificates should not be trusted beyond 2014. However, there are still many Web sites that are using SSL certificates with SHA-1 based signatures, so we agree with the positions of Microsoft and Google that SHA-1 certificates should not be issued after January 1, 2016, or trusted after January 1, 2017. In particular, CAs should not be issuing new SHA-1 certificates for SSL and Code Signing, and should be migrating their customers off of SHA-1 intermediate and end-entity certificates. If a CA still needs to issue SHA-1 certificates for compatibility reasons, then those SHA-1 certificates should expire before January 2017. More information is available in Mozilla’s list of Potentially Problematic CA Practices.

We plan to add a security warning to the Web Console to remind developers that they should not be using a SHA-1 based certificate. We will display an additional, more prominent warning if the certificate will be valid after January 1, 2017, since we will reject that certificate after that date. We plan to implement these warnings in the next few weeks, so they should be appearing in released versions of Firefox in early 2015. We may implement additional UI indicators later. For instance, after January 1, 2016, we plan to show the “Untrusted Connection” error whenever a newly issued SHA-1 certificate is encountered in Firefox. After January 1, 2017, we plan to show the “Untrusted Connection” error whenever a SHA-1 certificate is encountered in Firefox.

Please check your SSL and Code Signing certificates and replace any which use the SHA-1 hash algorithm, and contact mozilla.dev.security.policy if you have comments or concerns.

Mozilla Security Engineering Team

11 comments on “Phasing Out Certificates with SHA-1 based Signature Algorithms”

  1. Bill Gianopoulos wrote on

    I think it might make sense to show the “untrusted connection” eror on sha-1 based certificates that expire after January 2017 even before that date.

  2. null wrote on

    Hope users will be able to add a secutiry exception – can’t use Usermin at office with FF >= 33 – cert is too small 🙁

    1. Daniel Veditz wrote on

      This post is about future changes we plan to make regarding SHA-1 hashes, they’re unrelated to any changes already made.

      Where did your certificate come from, is it generated by usermin? The certificate on their demo site is perfectly fine in Firefox 35 (nightly) apart from the name mismatch.
      https://usermin-demo.virtualmin.com/

      1. null wrote on

        from old usermin 1.160 – but it shouldn’t matter where/when (size) – giving user just an (vague) error message without ability to (consciously) add sec. exception like in any other scenario with abnormal https certs, is a bit limiting imho.

  3. Allen Greene wrote on

    In the posting above, you state that you plan on implementing these warnings in the next few weeks and they should start appearing in early 2015, regarding that – are you speaking of the developers web portal?

    I’m trying to confirm the schedule of when the end user will start to see changes for sites that contain the SHA1 certificate. In the posting, it was stated:

    “For instance, after January 1, 2016, we plan to show the “Untrusted Connection” error whenever a newly issued SHA-1 certificate is encountered in Firefox. After January 1, 2017, we plan to show the “Untrusted Connection” error whenever a SHA-1 certificate is encountered in Firefox.”

    Will there be any indications or warning before 1/1/2016?

    1. Gervase Markham wrote on

      None are planned at the moment, but the blog post says: “We may implement additional UI indicators later.”

      Gerv

  4. Stig Jakobsen wrote on

    Thank you for this post, glad to see some information about your thoughts of this subject.

    Have you defined what you mean with newly issued SHA-1 certificates? would it be newly certificates that expire in 2017, or also newly issued certificates which expire before 2017 (short lived certificates)?

    Is there planes to implement any UI warnings for the users regarding certificates before 2017 (something along the lines we will see in Chrome)?

  5. Stefan L. wrote on

    What about Root-CA’s that are signed with SHA-1? Quite a lot of them are still actively used to sign Certificates. Will my SHA-256 Certificates still be usable when it is signed by an SHA-1 Root-CA?

    1. Daniel Veditz wrote on

      Roots are trusted by virtue of their inclusion in Firefox; it doesn’t matter how they are signed. It will matter what hash is used in the intermediate signatures, however.

  6. Vishal wrote on

    A day ago, I have tested some websites on sha2sslchecker.com. It provides detail information about the certificate. It is very helpful to complete my research study.

    I am surprised, while I tested google.com. Still, they are using a SHA-1 certificate.

    https://www.sha2sslchecker.com/index.php/google.com

    Even, most leading ssl vendors symantec.com, comodo.com, globalsign.com, geotrust.com, thawte.com, namecheap.com haven’t upgraded their certificates SHA-1 to SHA-2.

    Symantec is using two different certificates for symantec.com (with SHA-1)and http://www.symantec.com (with SHA-2)

    I have also tested some ssl vendors who are serious about their security and they have the SHA-2 certificate. – digicert.com, entrust.com, ssl2buy.com, qualityssl.com, prontossl.com

    1. Daniel Veditz wrote on

      There are still quite a few devices that can’t handle SHA-2, with Windows XP SP2 and below being a big chunk of that (even though it’s officially unsupported by Microsoft). There are servers that can handle offering different certs to different clients (as you’ve noticed with Symantec) but unfortunately the TLS/SSL front end Mozilla uses does not. Switching to a SHA-2 root cost Mozilla 145,000 Firefox downloads a week and had to be reverted for now[1] and likely other websites have found the same problem. We’ll try again when we’ve gotten a fix (or replacement) for our TLS hardware, or when more WinXP have gone away.

      [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1064387#c5