Mozilla is allowing another exception to its October decision to deprecate SHA-1 certificates. The open-source software maker will allow Symantec to issue nine new certificates to the payment processor Worldpay, to maintain 10,000 payment terminals.
The move has set off concerns that the exception will set Mozilla on a slippery slope, and will soon face pressure to issue exceptions to other certificate authorities.
“We understand that there are payment processing organizations other than Worldpay that continue to have similar requirements for SHA-1 — either within the Web PKI or outside it,” wrote Firefox security lead Richard Barnes, on the Mozilla security blog. “It is disappointing that these organizations are putting the public’s data at risk by using a weak, outdated security technology.”
Last month, Mozilla’s Firefox browser started to reject the insecure SHA-1 certificates, but the company promptly issued a Firefox update after noticing that legitimate “man-in the-middle” devices, including some security scanner models and antivirus products, could not connect to HTTPS sites. At the time, Barnes wrote in an email to SCMagazine.com that Firefox would remove support for SHA1 certificates again as soon as the man-in-the-middle issue was resolved.