[tor-bugs] #18042 [Tor Browser]: Make sure certificates signed with SHA-1 are not accepted anymore in ESR 45
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Jan 12 16:36:17 UTC 2016
#18042: Make sure certificates signed with SHA-1 are not accepted anymore in ESR 45
------------------------------------+--------------------------
Reporter: gk | Owner: tbb-team
Type: task | Status: new
Priority: High | Milestone:
Component: Tor Browser | Version:
Severity: Major | Resolution:
Keywords: tbb-security, ff45-esr | Actual Points:
Parent ID: | Points:
Sponsor: |
------------------------------------+--------------------------
Comment (by bugzilla):
The situation is much more complicated (even Mozilla released several out
of schedule patches :)
It started from M$: they decided to deprecate SHA-1 for CAs from 2016.
So Mozilla had to update their distributives. But XP SP2, Vista (SP?), 7
are incompatible with their solution, so they decided to split their
development process into two trees: for newer and for older systems (no
future updates on main branch since FF 43.0.1).
Thinking that deprecation will improve security, Mozilla decided to
suppress SHA-1 in certificates (which is not requred by M$). But a lot of
software is using it that leads to incompatibility, so another hotfix
(43.0.4) was fired.
Summary: SHA-1 officially reported as weak but secured. CAs continue to
issue SHA-1 certs, but must use SHA-2 certs for themselves. ESR behaviour
is still not developed by Mozilla.
Reject SHA-1 certs not optionally is definitely wrong solution.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18042#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list