On 7/4/2014 6:27 AM, Hubert Kario wrote: > The newly released NSS 3.16.3 doesn't include 1024 bit CA certificates > any more[1]. This will of course impact users of servers that still use > it. > > Interestingly, some intermediate CA certificates that were originally > signed by those 1024 bit CA certificates got cross signed using > different roots that will remain trusted[2]. In particular I mean the > "USERTrust Legacy Secure Server CA" certificate. > > Problem is, that some administrators haven't updated their servers > to provide the new intermediate certificate for 3 years. As such, > I don't think we can realistically expect all of them to update their > configuration now. > > While testing found just 217 sites as of 2014-05-30 that are > impacted by this change[2], it did test only top 200 000 > SSL enabled servers. I'd estimate the total number in Alexa top 1M > alone at over 373k. Moreover, some of those sites include sites that > are in the top 10000 sites, like groupon.my[3]. So loss of connectivity > to them may have bigger impact than the above quoted 217 could lead > us to believe. > > That's why I think that we should ship the intermediate CA certificates > to make Firefox continue to interoperate with such sites. > I don't mean only the USERTrust certificate, but others too, if they > exist. > > 1 - https://bugzilla.mozilla.org/show_bug.cgi?id=1021967 > 2 - https://bugzilla.mozilla.org/show_bug.cgi?id=936304 > 3 - https://www.ssllabs.com/ssltest/analyze.html?d=groupon.my >
Why should Mozilla provide cover for server administrators who fail to update their servers and for certification authorities who fail to communicate clearly with their customers? I believe such action will only encourage further such failures. If the servers and certification authorities can actually be identified and contact individuals be found, I would go as far as to inform them that 1024 root certificates will no longer function in Mozilla products by some date and suggest how to mitigate that situation (e.g., by updating intermediate certificates to point to newer roots). I would not go further. -- David E. Ross <http://www.rossde.com/> On occasion, I filter and ignore all newsgroup messages posted through GoogleGroups via Google's G2/1.0 user agent because of spam, flames, and trolling from that source. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
