Heads-up, from a user-complaint/ support / "keep an eye out for this" perspective: * Starting January 1st 2016 (a few days ago), Firefox rejects recently-issued SSL certs that use the (obsolete) SHA1 hash algorithm.[1]
* For users who unknowingly have a local SSL proxy on their machine from spyware/adware/antivirus (stuff like superfish), this may cause *all* HTTPS pages to fail in Firefox, if their spyware uses SHA1 in its autogenerated certificates. (Every cert that gets sent to Firefox will use SHA1 and will have an issued date of "just now", which is after January 1 2016; hence, the cert is untrusted, even if the spyware put its root in our root store.) * I'm not sure what action we should (or can) take about this, but for now we should be on the lookout for this, and perhaps consider writing a support article about it if we haven't already. (Not sure there's much help we can offer, since removing spyware correctly/completely can be tricky and varies on a case by case basis.) (Context: I received a family-friend-Firefox-support phone call today, who this had this exact problem. Every HTTPS site was broken for her in Firefox, since January 1st. IE worked as expected (that is, it happily accepts the spyware's SHA1 certs, for now at least). I wasn't able to remotely figure out what the piece of spyware was or how to remove it -- but the rejected certs reported their issuer as being "Digital Marketing Research App" (instead of e.g. Digicert or Verisign). Googling didn't turn up anything useful, unfortunately; so I suspect this is "niche" spyware, or perhaps the name is dynamically generated.) Anyway -- I have a feeling this will be somewhat-widespread problem, among users who have spyware (and perhaps crufty "secure browsing" antivirus tools) installed. ~Daniel [1] https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-sha-1-based-signature-algorithms/ _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
