Agreeing with positions held by Microsoft and Google, Mozilla announced on Tuesday that it would be phasing out certificates with SHA-1 based signature algorithms.
After Jan. 1, 2016, Firefox will present an “Untrusted Connection” error when a newly issued SHA-1 certificate is encountered, and after Jan. 1, 2017, Firefox will present an “Untrusted Connection” error whenever a SHA-1 certificate is encountered at all, according to a Tuesday post.
SHA-1 has been around for nearly two decades, and in recent years researchers have demonstrated SHA-1 mathematical weaknesses that could be exploited given enough time and computing power, Richard Barnes, engineering manager, cryptography and PKI, with Mozilla, told SCMagazine.com in a Wednesday email correspondence.
One issue in particular that is close to being practical is a collision attack, which “for certificates means that the attacker is able to find values for the contents of the certificate that hash to the same thing, [meaning] they will produce the same signature value,” Barnes said.
He explained, “This is a problem if one of these values is legitimate, but the other is fraudulent. If the attacker can convince a [Certification Authority (CA)] to sign the legitimate one, then it can swap in the fraudulent one and still have a certificate with a valid signature.”
Obtaining a fraudulent certificate can lead to a browser trusting an attacker website that fraudulently identifies itself as a user's bank website, Amol Sarwarte, director of engineering at Qualys, told SCMagazine.com in a Wednesday email correspondence.
Developers will be reminded not to use a SHA-1 certificate via a security warning added to the Web Console, the post indicates, and CAs are being encouraged to use signature algorithms with stronger hash functions such as the SHA-2 cryptographic hash functions, which include SHA-256, SHA-384 and SHA-512.
“In general, the goal of designing a hash function is to make it harder to find collisions, much like the goal of an encryption function is to make it hard to figure out the plaintext from an encrypted message,” Barnes said. “The SHA-2 hashes apply more modern cryptographic tools to make the hashes more robust in this regard, just as modern encryption algorithms are stronger than old algorithms.”
Mozilla has been discussing the idea of phasing out SHA-1 for a while now, Barnes said, explaining that the company believes it is good for the health of the web PKI ecosystem for browsers to be reasonably consistent in handling certificates.