{"id":2070,"date":"2016-02-24T16:20:15","date_gmt":"2016-02-25T00:20:15","guid":{"rendered":"https:\/\/blog.mozilla.org\/security\/?p=2070"},"modified":"2016-09-30T02:47:32","modified_gmt":"2016-09-30T09:47:32","slug":"payment-processors-still-using-weak-crypto","status":"publish","type":"post","link":"https:\/\/blog.mozilla.org\/security\/2016\/02\/24\/payment-processors-still-using-weak-crypto\/","title":{"rendered":"Payment Processors Still Using Weak Crypto"},"content":{"rendered":"<p>Part of how Mozilla protects the Web is by participating in the governance of the Web PKI, the system of security certificates that allows websites to authenticate themselves to browsers. Together with <a href=\"https:\/\/cabforum.org\">the other browsers and stakeholders in the Web<\/a>, we agree on <a href=\"https:\/\/cabforum.org\/baseline-requirements-documents\/\">standards<\/a> for how such certificates are issued. \u00a0We then require that these standards, plus a few <a href=\"https:\/\/www.mozilla.org\/about\/governance\/policies\/security-group\/certs\/policy\/\">additional ones specific to Mozilla<\/a>, be applied to all certificates which are issued, directly or indirectly, by the \u201croots\u201d that Firefox trusts.<\/p>\n<p>We have been notified that some payment providers are using Web PKI certificates (i.e. certificates which chain up to roots trusted by Firefox) to secure the connection between central servers and payment terminals, for the purpose of transmitting payment data over the public Internet. Unfortunately, some of those non-browser users of the Web PKI have not kept up with the advances in security that the Web is achieving. The SHA-1 hash algorithm (used to validate the integrity of a certificate) has been declared obsolete in the Web PKI, but these providers have failed to upgrade these devices to support its replacement, SHA-2, despite the SHA-1 deadlines having been set years ago. As a result, many payment-related devices continue to require their servers to have certificates which use SHA-1 in order to be able to operate.<\/p>\n<p>In particular, <a href=\"http:\/\/www.worldpay.com\">Worldpay PLC<\/a> approached Mozilla through their Certificate Authority, <a href=\"https:\/\/www.symantec.com\/\">Symantec<\/a>, to request authorization to issue, in violation of standard policy, a limited number of SHA-1 certificates needed to support a large number of outdated devices. They made this request less than two weeks before the authorization needed to be effective. To avoid disruption for users of these devices, after a <a href=\"https:\/\/groups.google.com\/forum\/#!topic\/mozilla.dev.security.policy\/RHBHXJOG8Io\">discussion on the dev.security.policy mailing list<\/a>, in this particular case we have decided to <a href=\"https:\/\/groups.google.com\/d\/msg\/mozilla.dev.security.policy\/RHBHXJOG8Io\/FJuaWeXAAQAJ\">allow<\/a> these certificates to be issued, but only under a set of conditions that ensure that the issuance of SHA-1 certificates is fully transparent and allowed only for purposes of transition to SHA-2.<\/p>\n<p>This authorization means that Symantec can issue SHA-1 certificates that will enable Worldpay\u2019s devices to keep operating a while longer, and that issuance will not be regarded by Mozilla as a defect. This decision only affects the Mozilla root program; other root programs may still consider the issuance of these certificates to be a mis-issuance.<\/p>\n<p>We understand that there are payment processing organizations other than Worldpay that continue to have similar requirements for SHA-1 \u2014 either within the Web PKI or outside it. It is disappointing that these organizations are putting the public\u2019s data at risk by using a weak, outdated security technology. \u00a0We encourage organizations with a continuing need for SHA-1 in the Web PKI to come forward as soon as possible and provide as much detail as possible about their plans for a transition to SHA-2.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Part of how Mozilla protects the Web is by participating in the governance of the Web PKI, the system of security certificates that allows websites to authenticate themselves to browsers. &hellip; <a class=\"go\" href=\"https:\/\/blog.mozilla.org\/security\/2016\/02\/24\/payment-processors-still-using-weak-crypto\/\">Read more<\/a><\/p>\n","protected":false},"author":998,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[45538,69],"tags":[],"coauthors":[282900],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Payment Processors Still Using Weak Crypto - Mozilla Security Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.mozilla.org\/security\/2016\/02\/24\/payment-processors-still-using-weak-crypto\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Richard Barnes\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2016\/02\/24\/payment-processors-still-using-weak-crypto\/\",\"url\":\"https:\/\/blog.mozilla.org\/security\/2016\/02\/24\/payment-processors-still-using-weak-crypto\/\",\"name\":\"Payment Processors Still Using Weak Crypto - Mozilla Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\"},\"datePublished\":\"2016-02-25T00:20:15+00:00\",\"dateModified\":\"2016-09-30T09:47:32+00:00\",\"author\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/07606285eceef4058a743f3f8ec2e290\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/2016\/02\/24\/payment-processors-still-using-weak-crypto\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.mozilla.org\/security\/2016\/02\/24\/payment-processors-still-using-weak-crypto\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2016\/02\/24\/payment-processors-still-using-weak-crypto\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.mozilla.org\/security\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Payment Processors Still Using Weak Crypto\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\",\"url\":\"https:\/\/blog.mozilla.org\/security\/\",\"name\":\"Mozilla Security Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/07606285eceef4058a743f3f8ec2e290\",\"name\":\"Richard Barnes\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/6070530fd061c73fde0bc242f38e16cb\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/a8148a9fe438c0b63cd06d650c6104f3?s=96&d=identicon&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/a8148a9fe438c0b63cd06d650c6104f3?s=96&d=identicon&r=g\",\"caption\":\"Richard Barnes\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Payment Processors Still Using Weak Crypto - Mozilla Security Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.mozilla.org\/security\/2016\/02\/24\/payment-processors-still-using-weak-crypto\/","twitter_misc":{"Written by":"Richard Barnes","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/blog.mozilla.org\/security\/2016\/02\/24\/payment-processors-still-using-weak-crypto\/","url":"https:\/\/blog.mozilla.org\/security\/2016\/02\/24\/payment-processors-still-using-weak-crypto\/","name":"Payment Processors Still Using Weak Crypto - Mozilla Security Blog","isPartOf":{"@id":"https:\/\/blog.mozilla.org\/security\/#website"},"datePublished":"2016-02-25T00:20:15+00:00","dateModified":"2016-09-30T09:47:32+00:00","author":{"@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/07606285eceef4058a743f3f8ec2e290"},"breadcrumb":{"@id":"https:\/\/blog.mozilla.org\/security\/2016\/02\/24\/payment-processors-still-using-weak-crypto\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.mozilla.org\/security\/2016\/02\/24\/payment-processors-still-using-weak-crypto\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/blog.mozilla.org\/security\/2016\/02\/24\/payment-processors-still-using-weak-crypto\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.mozilla.org\/security\/"},{"@type":"ListItem","position":2,"name":"Payment Processors Still Using Weak Crypto"}]},{"@type":"WebSite","@id":"https:\/\/blog.mozilla.org\/security\/#website","url":"https:\/\/blog.mozilla.org\/security\/","name":"Mozilla Security Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/07606285eceef4058a743f3f8ec2e290","name":"Richard Barnes","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/6070530fd061c73fde0bc242f38e16cb","url":"https:\/\/secure.gravatar.com\/avatar\/a8148a9fe438c0b63cd06d650c6104f3?s=96&d=identicon&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/a8148a9fe438c0b63cd06d650c6104f3?s=96&d=identicon&r=g","caption":"Richard Barnes"}}]}},"_links":{"self":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/2070"}],"collection":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/users\/998"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/comments?post=2070"}],"version-history":[{"count":0,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/2070\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/media?parent=2070"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/categories?post=2070"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/tags?post=2070"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/coauthors?post=2070"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}