The newly released NSS 3.16.3 doesn't include 1024 bit CA certificates any more[1]. This will of course impact users of servers that still use it.
Interestingly, some intermediate CA certificates that were originally signed by those 1024 bit CA certificates got cross signed using different roots that will remain trusted[2]. In particular I mean the "USERTrust Legacy Secure Server CA" certificate. Problem is, that some administrators haven't updated their servers to provide the new intermediate certificate for 3 years. As such, I don't think we can realistically expect all of them to update their configuration now. While testing found just 217 sites as of 2014-05-30 that are impacted by this change[2], it did test only top 200 000 SSL enabled servers. I'd estimate the total number in Alexa top 1M alone at over 373k. Moreover, some of those sites include sites that are in the top 10000 sites, like groupon.my[3]. So loss of connectivity to them may have bigger impact than the above quoted 217 could lead us to believe. That's why I think that we should ship the intermediate CA certificates to make Firefox continue to interoperate with such sites. I don't mean only the USERTrust certificate, but others too, if they exist. 1 - https://bugzilla.mozilla.org/show_bug.cgi?id=1021967 2 - https://bugzilla.mozilla.org/show_bug.cgi?id=936304 3 - https://www.ssllabs.com/ssltest/analyze.html?d=groupon.my -- Regards, Hubert Kario Quality Engineer, QE BaseOS Security team Email: hka...@redhat.com Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
