Mozilla to Add SHA-1 Security Warnings

Yesterday Mozilla announced that they too will discontinue trust in sites secured with SHA-1 certificates and will be adding a warning to both the Firefox Web Console and browser starting next year.

In their blog post, Mozilla explained the security situation with SHA-1 and stated that they agreed with Microsoft and Google that SHA-1 certificates should not be issued after January 1, 2016 or trusted after January 1, 2017.

SHA-1 is nearly twenty years old, and is beginning to show its age. In the last few years, collision attacks undermining some properties of SHA-1 have been getting close to being practical. Collision attacks against the older MD5 hash algorithm have been used to obtain fraudulent certificates, so the improving feasibility of collision attacks against SHA-1 is concerning. In order to avoid the need for a rapid transition should a critical attack against SHA-1 be discovered, we are proactively phasing out SHA-1.

– Mozilla Security Blog

Mozilla will add a security warning to the Web Console to remind developers that they should not be using SHA-1 certificates. This warning will be more prominent if the SHA-1 certificate expires after January 1, 2017. These warnings will appear in the released versions of Firefox in early 2015.

Mozilla also plans to add warnings to the Firefox browser in the future. In 2016, Firefox will begin to show an “Untrusted Connection” error when a newly issued SHA-1 certificate is encountered and in 2017 Firefox will show an “Untrusted Connection” error whenever a SHA-1 certificate is encountered.

This trust deprecation timeline matches what Microsoft announced previously in 2013. Since DigiCert has been preparing for this timeline for the last year, most DigiCert customers should be unaffected by the future Firefox browser warnings. SHA-2 has been the default for all certificates purchased from DigiCert since 2013. However, companies should be aware of Google’s more aggressive timeline and use the DigiCert SHA-1 Sunset Tool to check for and replace any SHA-1 certificates in their environment.