Sorry, I just realized that I didn't answer to the whole list. -------- Weitergeleitete Nachricht -------- Betreff: Re: SHA1 Datum: Wed, 17 Sep 2014 21:23:11 +0200 Von: [email protected] An: Kathleen Wilson <[email protected]>
Showing a security waring in console sounds great and this should be implemented soon. But I would prefer an additional warning in the browser bar (like mixed content) and may be also some stats in page information before 2017. This would force server admins to get new certificates. Am 17.09.2014 um 19:55 schrieb Kathleen Wilson: > On 9/6/14, 8:38 AM, Kosuke Kaizuka wrote: >> On Sat, 06 Sep 2014 16:34:06 +0200, Sjw wrote: >>> Hi everyone >>> >>> At present, there are a lot of articles, that the weak SHA1 >>> certificates >>> with a long duration will be marked as weak/insecure in some browsers >>> soon and in a few years they won't be accepted anymore. >>> Does Mozilla have similar plans? Sadly I can't found a similar >>> option in >>> current Nightly. >> >> Please see Bug 942515. >> >> https://bugzilla.mozilla.org/show_bug.cgi?id=942515 >> > > Also see: > https://wiki.mozilla.org/CA:Problematic_Practices#SHA-1_Certificates > > > Here's a proposal regarding indicators about SHA1 certificates... > > 1) Mozilla could (relatively quickly) add a security warning to the > Web Console to warn about SHA-1 certificates that expire after January > 1, 2017. The target audience of this indicator is web developers and > web site administrators inspecting their pages. > > https://developer.mozilla.org/en-US/docs/Tools/Web_Console#Security_warnings_and_errors > > > 2) After January 1, 2017, Firefox would show the "Untrusted > Connection" error whenever a SHA-1 certificate is encountered.** Note > that the "Untrusted Connection" error is overrideable. > > 3) Based on telemetry, at some point after January 1, 2017, move the > SHA-1 error to not-overrideable.** Note that it could remain > overrideable for self-signed certs. > > ** Of course, Mozilla would take this action earlier if needed to keep > users safe. > > > Does that sound reasonable? > > Kathleen > > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy
signature.asc
Description: OpenPGP digital signature
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
