On 9/6/14, 8:38 AM, Kosuke Kaizuka wrote:
On Sat, 06 Sep 2014 16:34:06 +0200, Sjw wrote:
Hi everyone
At present, there are a lot of articles, that the weak SHA1 certificates
with a long duration will be marked as weak/insecure in some browsers
soon and in a few years they won't be accepted anymore.
Does Mozilla have similar plans? Sadly I can't found a similar option in
current Nightly.
Please see Bug 942515.
https://bugzilla.mozilla.org/show_bug.cgi?id=942515
Also see:
https://wiki.mozilla.org/CA:Problematic_Practices#SHA-1_Certificates
Here's a proposal regarding indicators about SHA1 certificates...
1) Mozilla could (relatively quickly) add a security warning to the Web
Console to warn about SHA-1 certificates that expire after January 1,
2017. The target audience of this indicator is web developers and web
site administrators inspecting their pages.
https://developer.mozilla.org/en-US/docs/Tools/Web_Console#Security_warnings_and_errors
2) After January 1, 2017, Firefox would show the "Untrusted Connection"
error whenever a SHA-1 certificate is encountered.** Note that the
"Untrusted Connection" error is overrideable.
3) Based on telemetry, at some point after January 1, 2017, move the
SHA-1 error to not-overrideable.** Note that it could remain
overrideable for self-signed certs.
** Of course, Mozilla would take this action earlier if needed to keep
users safe.
Does that sound reasonable?
Kathleen
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
