back to article Mozilla warns Firefox fans its SHA-1 ban could bork their security

Mozilla has warned Firefox users they may be cut off from more of the web than expected – now that the browser rejects new HTTPS certificates that use the weak SHA-1 algorithm. If you use Firefox with some antivirus products, or on a network fitted with a box that inspects traffic for malicious stuff, and visit a site that …

  1. foxyshadis

    I've known this for a while

    Now all I really want is a list of sites that don't work, so I can either avoid them or try to pressure them to update. By now Mozilla must have done surveys and have a list or two.

    1. Nate Amsden

      Re: I've known this for a while

      all I want is the ability to override this behavior, firefox should treat this as a self signed cert in the worst case. Other times they have decided to drop support for some SSL feature or function they completely bocked it with a very cryptic error message, there's no reason to treat it any worse than a self signed cert and force the user to accept it.

      1. PassiveSmoking

        Re: I've known this for a while

        You can turn it off (the article even tells you how)

      2. John Sanders
        Mushroom

        Re: I've known this for a while

        But this would be the case should Mozilla was acting in the interest of their users, and not trying to make "an impact on the industry" and "laser focusing on the web".

        Mozilla lost the plot a while back.

        Their insistence on copying the dumbed down Chrome has driven many people to... Chrome.

        Heck even I use Chrome more and more simply because it doesn't eat my CPU for no reason, and if a page does eat CPU shit+esc and I can tell where the problem lies.

        One would think that Mozilla would try to copy/fix these issues on Firefox, but what do they come with?

        * Useless changes to the UI

        * More useless changes to the UI

        * Lots and lots of changes to the UI no one asked for, and lots clamoured against (Australis)

        * Remove all the functionality they can get away with and which people some times depend on

        * Remove back end functionality used by people to regain missing functionality through add-ons.

        * And the latest one... get rid of Thunderbird!? because it is not popular or needed...? sorry what?

        Now they are thinking on killing SHA1 so if you have an old device lingering around that uses these type of certificate you can not connect because Mozilla wants to prevent you from harm. Setting an exception you crazy? You silly, use a Windows XP computer with IE 6,7,8, because we can not bother to treat our users like intelligent beings and allow them to set an exception or set a setting somewhere to re-enable it in case someone truly needs it.

        I used to recommend Firefox, but I can not any more.

    2. Anonymous Coward
      Anonymous Coward

      Re: I've known this for a while

      Now all I really want is a list of sites that don't work, so I can either avoid them or try to pressure them to update.

      Unless you're referring to use of SHA-1 certificates in general, I think maybe you're missing the point; this article is about security devices between you and the internet that MITM your connection by generating their own SHA-1 certificates. In these circumstances every HTTPS site you try to connect to will be borked.

  2. arctic_haze Silver badge
    Facepalm

    Isn't The Reg one Firefox iteration late?

    In the release notes of the brand new Firefox 43.0.4, the most important change is:

    "Re-enable SHA-1 certificates (Bug 1236975)"

    Enjoy!

    1. DaLo

      Re: Isn't The Reg one Firefox iteration late?

      https://bugzilla.mozilla.org/show_bug.cgi?id=1236975

  3. Velv Silver badge
    WTF?

    The description doesn't makes sense or the third party scanning is flawed.

    The scanning device Is taking a valid certificate (albeit potentially week), and replacing it with a third party certificate, and end users are expected to trust it? Having spent years trying to stop the users from trusting just anything and only trusting the proved original?

    I guess I'm missing something...

    1. Anonymous Coward
      Anonymous Coward

      An AV system, firewall that uses 'deep scanning' technology allows a company to decrypt ssl traffic so it can be checked for viruses, company information, unauthorised use, bandwidth management policies, caching etc. The way it does this is to place itself as a trusted root in your certificate store then generate certificates on the fly for HTTPS sites you visit. It acts as a proxy.

      So you ask the 'security' device for https://www.securesite.com and the 'security' device pretends it is the secure site - in the background it asks the real securesite.com for the requested information (using its normall connection). The traffic flow in the 'security' device is therefore unencrypted (Man in the Middle) and can be analysed.

      Does this mean that an organisation can snoop on all your secured comms and banking passwords etc? Yes, it does.

      Does it break end-to-end trust relationship of the user <-> website? Yes it does.

      However, with malware using SSL now, it can be useful for securing a company network and data.

  4. Anonymous Coward
    Anonymous Coward

    Firefox is getting more and more flaky as they go out on their own and far too many websites are now unusable. It is all very well doing this but they shoukd have some mechanism for informing the more important websites of their security problems. I have tried several times informing banks etc etc about their certificate issues and support for insecure protocols but they just deny everything and don't understand or care about the issues. Don't suggest changing banks because they all have similar problems.

    On top of it all Firefox has the nerve to include insecure messaging protocols and other garbage that you can't uninstall.

    Perhaps the Register could have an ongoing headline front page item with a hall of shame for the worst security issues of big organisations. Of course they would complain that this is helping the hackers.

  5. Anonymous Coward
    Anonymous Coward

    Keep a sense of proportion

    "Bear in mind, though, that you're trading one security problem (the inability to filter malicious traffic) against another (the inability to securely verify the integrity of the HTTPS connection)."

    Just to be entirely clear:

    * Nobody has yet created any two documents with the same SHA-1 hash, even random birthday collisions

    * The $75,000 theoretical attack is not for a pre-image attack (i.e. where you make a document with some chosen content)

    Maybe these things will become feasible in the next year or two - that's why SHA-1 is being retired now.

    But if your PC is sitting behind a man-in-the-middle device, which decrypts all your traffic and then provides a spoof certificate to convince your browser it is actually connected directly to the target site, then you have much more serious security issues to worry about than that.

  6. Florida1920
    Unhappy

    Fortunately, there are alternatives

    When they undo the way they munged the search operation, still busted in 43.0.4, I might start using Firefox again.

    1. EddieD

      Re: Fortunately, there are alternatives

      Classic Theme Restorer erm, restores the good old search interface.

      I was going bananas, digging out my ESR installers, till those nice guys waved their wand.

      1. Florida1920

        Re: Fortunately, there are alternatives

        Thanks. Tried that, but for some reason it had no effect here. Chrome with Vanilla, Context Menu Search, uBlock Origin and ScriptBlock works for me. Blocking Google in uBlock only seems to affect the New Tab page. All of the other Google extensions are turned off. FF used to crash periodically; Chrome never does. Just can't find a reason to go back to FF.

  7. Norman Nescio

    Whitelist of names and/or IP addresses

    I have to manage various bits of kit via embedded web-servers. Manufacturers can have gone out of business, or simply not be interested in providing updated firmware - so I'd like Firefox to have the ability to whitelist certain ip addresses and/or domain names so that in general using SHA1 won't work, but for particular sites/devices, it will. I don't want to simply allow all sites. the current approach seems to be all or nothing, which is not particularly helpful.

  8. Allan George Dyer Silver badge
    Paris Hilton

    Shouldn't the MITM device developers be fixing their products?

    If you're directly connected to the internet, then Firefox is doing the right thing, stopping you using a "secure" connection that isn't.

    If you are behind an AV box using fake certificates to MITM and scan your traffic, the developer should be updating the product and should have already moved to SHA256. If the box isn't being updated (you're not paying the subscription, or the developer's discontinued it), you're better off without it.

  9. Michael Wojcik Silver badge

    Still wrong

    It has long been known that SHA-1 hashes are theoretically open to attack; in October this was proved in dramatic style with just $75,000 of cloud compute resources

    Repeating this doesn't make it any less false.

  10. allthecoolshortnamesweretaken

    Dammit El Reg, when will you learn? It's not a fox - it's a Red Panda!

  11. Mayhem

    SSL

    The biggest issue I find these days is logging onto routers and other consumer level web enabled devices.

    They all have legacy or flawed implementations of SSL and Java, and there is absolutely no chance of ever getting it updated - the manufacturers don't care, they'd rather sell you a new device.

    Yet Chrome and Firefox both have the idea that THIS IS BAD THEREFORE BLOCK BLOCK BLOCK. While I agree with the concept for web based sites, it really should be possible to whitelist a local network IP.

    At the moment I'm forced to use a dedicated old version of FF so that the NPAPI plugins work, and half the time I have to dig out IE 9 to access the login pages. Not exactly safe, but Chrome and FF are both actively preventing me doing my work in the real world.

  12. Anonymous Coward
    Anonymous Coward

    Suicide Fox

    I completely agree Firefox lost the plot ages ago. They are very selective about support for security and privacy. Look at all the uninstallable junk protocols, advertising and monitoring that are impossible or very difficult to remove. They even force the use of DRM unless you went for the DRM free EME-Free fork.

    I found I had to keep using addons to fight against the privacy and security issues they keep creating.

    Like most "free" software they have infinite development time for tweaking the appearance and making meaningless changes to the UI, but deliberately make it difficult to customise the simplest options by removing the capability to configure from the menus.

    Don't even mention the Android version, which is completely out of control.

    I gave up with Firefox and went for the Palemoon derivative which is simpler, more privacy oriented, mostly Google-free (unlike Firefox), but can be more flakey as they don't have many developers.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020