Mozilla’s plan to block SHA-1 certificates backfires, temporary puts it on hold
Mozilla, the developers of the popular browser Firefox, has announced something that contradicts its previously plans.
The browser maker had announced in October 2015, that it was going to phase-out SHA-1 certificates in the coming year.
And with the release of Firefox 43, which was rolled out in December, it put its plans into action. The browser began to reject websites, which used SHA-1 certificates, which were issued after December 31st 2015.
Well, this has proven to be a disastrous result. Apparently, some users who updated to the latest version of Firefox, were unable to access HTTPS sites, which were still using the vulnerable certificate system.
Naturally, users complained to Mozilla, and requested it to provide a solution. To be honest, there was only one thing the browser maker could do, allow the user to visit the websites. But to do so, it had to update its browser, with the necessary changes.
The finger of blame was pointed, at antivirus apps, and security scanners. Mozilla said they were responsible for the fiasco. This is what Richard Barnes, a Mozilla engineer wrote at the official blog:
“When a user tries to connect to an HTTPS site, the man-in-the-middle device sends Firefox a new SHA-1 certificate instead of the server’s real certificate.”
ZDNet had posted an article about this a few months ago, saying that the SHA-1 phasing out could kick many users out of HTTPS websites, and it was spot on.
Mozilla has released a minor update to Firefox, which brings the version to 43.0.4. This fixes the SHA-1 issue, but there was a new problem. Users were unable to update to the new version of Firefox, as their browser could not connect to the new server, because of the new certificates.
How to find out if you’re affected by this?
Visit the official announcement page, and if it loads for you, you’re not affected. If it does not load, and gives you an error, all you have to is update to the latest version of Firefox, which you can download from the official server.
Ironically, you will need to use a different browser, or an unaffected version of Firefox (any pre-43 version), to download the new version.
Back in November,we reported that Microsoft would also begin to deprecate SHA-1 certificates. But unlike Mozilla, which jumped the gun, the Redmond company, said it would only begin phasing out the vulnerable certificate, after a year, i.e. November 2016. As most websites haven’t upgraded to SHA-0-2 yet, this seems to be a good decision, for once.
Facebook was another company which decided against phasing-out SHA-1 so early, as it could render million of users unable to access its website.