Mozilla backs off SHA-1 ban as users blocked from HTTPS websites

Mozilla backs off SHA-1 ban as users blocked from HTTPS websites

Mozilla has temporarily reinstated use of the recently dropped SHA-1 certificate in Firefox after users were unable to access HTTPS-encrypted websites.

The SHA-1 cryptographic algorithm was discarded by major technology firms including Mozilla on 31 December after experts concluded that it has become increasingly vulnerable to hackers and nation-state attacks.

As computing power grows and the cost of cracking the encryption algorithm dwindles, experts have decided that it’s time to embrace stronger protection. Companies including Google and Microsoft are now enforcing the exclusive use of SHA-2 security certificates.

However, this means that websites without updated encryption certificates won’t be accessible on newer browsers such as Firefox, Chrome and Edge. Additionally, most public Certification Authorities will no longer issue SHA-1-based certificates.

Yet, despite embracing the change, Mozilla has done a temporary U-turn, revealing that users behind ‘man-in-the-middle’ prevention systems, such as antivirus software or security scanners, were unable to access HTTPS-protected websites.

Richard Barnes, a security engineer at Mozilla, said: “When a user tries to connect to an HTTPS site, the man-in-the-middle device sends Firefox a new SHA-1 certificate instead of the server’s real certificate. Since Firefox rejects new SHA-1 certificates, it can’t connect to the server.”

Barnes explained that Mozilla remains “committed to removing support for SHA-1 certificates” and advises users to manually install the newest version of Firefox using an unaffected copy of the browser.

“You should also make sure that any systems you have that might be doing man-in-the-middle are up-to-date, for example some antivirus software or security scanning devices,” he added.

Security experts predicted last year that problems would surface as firms migrate from SHA-1 algorithms.

Matthew Prince, chief executive of CloudFlare, explained that “globally, SHA-2 is supported by at least 98 percent of browsers”. However, the remaining percentage, despite being a seemingly low number, is still equivalent to over 37 million people.

“That’s the equivalent of the population of California not having access to encryption unless they upgrade their devices,” he said.

“As SHA-2-only sites proliferate, if these users on SHA-1-only browsers try and access an encrypted site, they’ll see an error page that completely blocks their access.”

Facebook chief security officer Alex Stamos estimated in December that “tens of millions” of people, largely from developing countries, would not be able to get secure access to the internet from January 2016.

“The likely outcome in those counties will be a serious backslide in the deployment of HTTPS by governments, companies and NGOs that wish to reach their target populations,” he warned.

Facebook research shows that three to seven percent of browsers currently in use are not able to use the newer SHA-2 standard.

“This is not an easy issue, and there are well-meaning people with good intentions who will disagree. We hope that we can find a way forward that promotes the strongest encryption technologies without leaving behind those who are unable to afford the latest and greatest devices,” Stamos said.

If the article suppose to have a video or a photo gallery and it does not appear on your screen, please Click Here

8 January 2016 | 3:24 pm – Source:


Leave a Reply

Your email address will not be published.