remove support for sha-1 signatures in all certificates (including imported roots)
Categories
(Core :: Security: PSM, task, P1)
Tracking
()
People
(Reporter: keeler, Assigned: keeler)
References
(Blocks 1 open bug)
Details
(Whiteboard: [psm-assigned])
Attachments
(1 file)
Previously, sha-1 signatures in certificates was disabled by default, except for certificates issued by imported roots. Chrome had a similar policy, but this was removed in 71 [0]. Telemetry [1] indicates that some users do still encounter sha-1 signatures at a fraction of the rate of overall certificate errors, so forbidding all sha-1 signatures should have minimal compatibility impact.
[0] https://chromeenterprise.google/policies/#EnableSha1ForLocalAnchors
[1] https://mzl.la/3kg5J4j
Assignee | ||
Comment 1•2 years ago
|
||
Previously [0], support for SHA1 signatures in certificates was disabled by
default, except for certificates issued by imported roots. Chrome had a similar
policy, but this was removed in 71 [1]. Telemetry [2] indicates that some users
do still encounter SHA1 signatures at a fraction of the rate of overall
certificate errors, so forbidding all SHA1 signatures should have minimal
compatibility impact.
[0] https://bugzilla.mozilla.org/show_bug.cgi?id=1302140
[1] https://chromeenterprise.google/policies/#EnableSha1ForLocalAnchors
[2] https://mzl.la/3kg5J4j
Pushed by dkeeler@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/8ef044a6a1fe remove support for SHA1 signatures in all certificates (including imported roots) r=jschanck
Comment 3•2 years ago
|
||
Backed out changeset 8ef044a6a1fe (Bug 1766687) for causing bustage in NSSCertDBTrustDomain.cpp
Log: https://treeherder.mozilla.org/logviewer?job_id=379823070&repo=autoland&lineNumber=22684
Backout: https://hg.mozilla.org/integration/autoland/rev/e91ede345c921b7d8c91caf6a4389323163eaac6
Assignee | ||
Updated•2 years ago
|
Pushed by dkeeler@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/a4a8545b202f remove support for SHA1 signatures in all certificates (including imported roots) r=jschanck
Assignee | ||
Comment 6•2 years ago
|
||
Release Note Request (optional, but appreciated)
[Why is this notable]: Users previously had the option of enabling SHA-1 support in certificate signatures, which is not secure, but this change removes that option.
[Affects Firefox for Android]: yes
[Suggested wording]: Removed configuration option to allow SHA-1 signatures in certificates. SHA-1 signatures in certificates, long since determined to no longer be secure enough, are now not supported.
[Links (documentation, blog post, etc)]:
Comment 7•2 years ago
|
||
Note added to 103 nightly notes
Updated•2 years ago
|
Description
•