On 1/4/16 11:20 AM, Richard Barnes wrote:
First a bit of good news: The overall trend line for SHA-1 errors is not
spiking (yet). Bin 6 of SSL_CERT_VERIFICATION_ERRORS corresponds to
ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED, which is what you get when you
reject a bad SHA-1 cert.
https://ipv.sx/telemetry/general-v2.html?channels=beta%20release&measure=SSL_CERT_VERIFICATION_ERRORS&target=6
Now for the bad news: Telemetry is actually useless for the specific case
we're talking about here. Telemetry is submitted over HTTPS (about:config
/ toolkit.telemetry.server), so measurements from affected clients will
never reach the server.
So we can't get any measurements unless we revert the SHA-1 intolerance.
Given this, I'm sort of inclined to do that, collect some data, then maybe
re-enable it in 45 or 46. What do others think?
I agree that we should revert the change (assuming its not already too
late given updates are over HTTPS) until we figure out how widespread
this problem is and determine how to handle it.
--Richard
On Mon, Jan 4, 2016 at 1:43 PM, Richard Barnes <rbar...@mozilla.com> wrote:
On Mon, Jan 4, 2016 at 12:31 PM, Bobby Holley <bobbyhol...@gmail.com>
wrote:
On Mon, Jan 4, 2016 at 9:11 AM, Richard Barnes <rbar...@mozilla.com>
wrote:
Hey Daniel,
Thanks for the heads-up. This is a useful thing to keep in mind as we
work
through the SHA-1 deprecation.
To be honest, this seems like a net positive to me, since it gives users
a
clear incentive to uninstall this sort of software.
By "this sort of software" do you mean "Firefox"? Because that's what 95%
of our users experiencing this are going to do absent anything clever on
our end.
We clearly need to determine the scale of the problem to determine how
much time it's worth investing into this. But I think we should assume that
an affected user is a lost use in this case.
I was being a bit glib because I think in a lot of cases, it won't be just
Firefox that's affected -- all of the user's HTTPS will quit working,
across all browsers.
I agree that it would be good to get more data here. I think Adam is on
the right track.
--Richard
bholley
--Richard
On Mon, Jan 4, 2016 at 3:19 AM, Daniel Holbert <dholb...@mozilla.com>
wrote:
Heads-up, from a user-complaint/ support / "keep an eye out for this"
perspective:
* Starting January 1st 2016 (a few days ago), Firefox rejects
recently-issued SSL certs that use the (obsolete) SHA1 hash
algorithm.[1]
* For users who unknowingly have a local SSL proxy on their machine
from spyware/adware/antivirus (stuff like superfish), this may cause
*all* HTTPS pages to fail in Firefox, if their spyware uses SHA1 in its
autogenerated certificates. (Every cert that gets sent to Firefox will
use SHA1 and will have an issued date of "just now", which is after
January 1 2016; hence, the cert is untrusted, even if the spyware put
its root in our root store.)
* I'm not sure what action we should (or can) take about this, but for
now we should be on the lookout for this, and perhaps consider writing
a
support article about it if we haven't already. (Not sure there's much
help we can offer, since removing spyware correctly/completely can be
tricky and varies on a case by case basis.)
(Context: I received a family-friend-Firefox-support phone call today,
who this had this exact problem. Every HTTPS site was broken for her
in
Firefox, since January 1st. IE worked as expected (that is, it happily
accepts the spyware's SHA1 certs, for now at least). I wasn't able to
remotely figure out what the piece of spyware was or how to remove it
--
but the rejected certs reported their issuer as being "Digital
Marketing
Research App" (instead of e.g. Digicert or Verisign). Googling didn't
turn up anything useful, unfortunately; so I suspect this is "niche"
spyware, or perhaps the name is dynamically generated.)
Anyway -- I have a feeling this will be somewhat-widespread problem,
among users who have spyware (and perhaps crufty "secure browsing"
antivirus tools) installed.
~Daniel
[1]
https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-sha-1-based-signature-algorithms/
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform
