[tbb-bugs] #18042 [Tor Browser]: Make sure certificates signed with SHA-1 are not accepted anymore in ESR 45

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Jan 12 16:36:17 UTC 2016


#18042: Make sure certificates signed with SHA-1 are not accepted anymore in ESR 45
------------------------------------+--------------------------
 Reporter:  gk                      |          Owner:  tbb-team
     Type:  task                    |         Status:  new
 Priority:  High                    |      Milestone:
Component:  Tor Browser             |        Version:
 Severity:  Major                   |     Resolution:
 Keywords:  tbb-security, ff45-esr  |  Actual Points:
Parent ID:                          |         Points:
  Sponsor:                          |
------------------------------------+--------------------------

Comment (by bugzilla):

 The situation is much more complicated (even Mozilla released several out
 of schedule patches :)
 It started from M$: they decided to deprecate SHA-1 for CAs from 2016.
 So Mozilla had to update their distributives. But XP SP2, Vista (SP?), 7
 are incompatible with their solution, so they decided to split their
 development process into two trees: for newer and for older systems (no
 future updates on main branch since FF 43.0.1).
 Thinking that deprecation will improve security, Mozilla decided to
 suppress SHA-1 in certificates (which is not requred by M$). But a lot of
 software is using it that leads to incompatibility, so another hotfix
 (43.0.4) was fired.
 Summary: SHA-1 officially reported as weak but secured. CAs continue to
 issue SHA-1 certs, but must use SHA-2 certs for themselves. ESR behaviour
 is still not developed by Mozilla.
 Reject SHA-1 certs not optionally is definitely wrong solution.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18042#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tbb-bugs mailing list