Menu
Mozilla mulls early cutoff for SHA-1 digital certificates

Mozilla mulls early cutoff for SHA-1 digital certificates

The browser maker might decide to ban SHA-1 digital certificates in July 2016

In light of recent advances in attacks against the SHA-1 cryptographic function, Mozilla is considering banning digital certificates signed with the algorithm sooner than expected.

The CA/Browser Forum, a group of certificate authorities and browser makers that sets guidelines for the issuance and use of digital certificates, had previously decided that new SHA-1-signed certificates should not be issued after Jan. 1, 2016.

Browser makers have also decided that existing SHA-1 certificates will no longer be trusted in their software starting Jan. 1, 2017, even if they're technically set to expire after that date.

On Tuesday, Mozilla announced that it's re-evaluating the cutoff date and is considering the feasibility of pushing it forward by six months, on July 1, 2016. The decision is guided by recent research that improves the practicality of attacks against SHA-1.

Earlier this month Thomas Peyrin of Nanyang Technological University (NTU) in Singapore, Marc Stevens of the Centrum Wiskunde and Informatica in the Netherlands and Pierre Karpman of both NTU and Inria in France, published a research paper that describes a new way to break SHA-1.

The researchers estimate that pulling off their attack, which breaks the full 80 rounds of SHA-1, would cost between US$75,000 and $120,000 using commercial cloud-computing resources, a price that many cybercriminal groups can afford. While their particular attack can not be used to forge SSL certificates, it clearly shows that the practicability of breaking SHA-1 signatures is increasing at a much faster pace than previously anticipated.

"We advise the industry to not play with fire, and accelerate the migration process toward SHA2 and SHA3, before such dramatic attacks become feasible," Thomas Peyrin told the IDG News Service earlier this month.

It seems that the industry is listening. Following the research's publication, the CA/Browser Forum withdrew a motion put forward by Symantec and endorsed by Entrust, Microsoft and Trend Micro to allow the issuance of SHA-1 certificates throughout 2016 in order to accommodate "a very small number of very large enterprise customers" who cannot complete the transition to SHA-2 certificates by the end of this year.

According to Internet services company Netcraft, almost one million SHA-1 SSL certificates are still in use on the Internet, 120,000 of which were issued in 2015 and 3,900 having expiry dates past Jan. 1, 2017. According to statistics from the SSL Pulse project, 24 percent of the world's top 143,000 HTTPS websites by traffic use SHA-1 certificates.

Google Chrome is already displaying different connection security indicators for HTTPS websites that use SHA-1 certificates than for those that use SHA-2 certificates in order to encourage migration away from the aging hash function.

Webmasters who are concerned about the cost of replacing their certificates will soon have a free alternative. A non-profit certificate authority called Let's Encrypt will launch in November and announced Monday that it's root certificates have been cross-signed by IdenTrust and are now trusted by all major browsers.

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Featured

Slideshows

Reseller News launches inaugural Hall of Fame lunch

Reseller News launches inaugural Hall of Fame lunch

Reseller News welcomed 2015 and 2016 inductees - Darryl Swann, Dave Rosenberg, Gary Bigwood, Keith Watson, Mike Hill and Scott Green - to the inaugural Reseller News Hall of Fame lunch, held at the French Cafe in Auckland. The inductees discussed how the channel can collectively work together to benefit New Zealand, the Kiwi skills shortage and the future of the industry. Photos by Maria Stefina.

Reseller News launches inaugural Hall of Fame lunch
Educating from the epicentre - Why distributors are the pulse checkers of the channel

Educating from the epicentre - Why distributors are the pulse checkers of the channel

​As the channel changes and industry voices deepen, the need for clarity and insight heightens. Market misconceptions talk of an “under pressure” distribution space, with competitors in that fateful “race for relevance” across New Zealand. Amidst the cliched assumptions however, distribution is once again showing its strength, as a force to be listened to, rather than questioned. Traditionally, the role was born out of a need for vendors and resellers to find one another, acting as a bridge between the testing lab and the marketplace. Yet despite new technologies and business approaches shaking the channel to its very core, distributors remain tied to the epicentre - providing the voice of reason amidst a seismic industry shift. In looking across both sides of the vendor and partner fences, the middle concept of the three-tier chain remains centrally placed to understand the metrics of two differing worlds, as the continual pulse checkers of the local channel. This exclusive Reseller News Roundtable, in association with Dicker Data and rhipe, examined the pivotal role of distribution in understanding the health of the channel, educating from the epicentre as the market transforms at a rapid rate.

Educating from the epicentre - Why distributors are the pulse checkers of the channel
Kiwi channel reunites as After Hours kicks off 2017

Kiwi channel reunites as After Hours kicks off 2017

After Hours made a welcome return to the channel social calendar last night, with a bumper crowd of distributors, vendors and resellers descending on The Jefferson in Auckland to kickstart 2017. Photos by Maria Stefina.

Kiwi channel reunites as After Hours kicks off 2017
Show Comments