Hey Daniel, Thanks for the heads-up. This is a useful thing to keep in mind as we work through the SHA-1 deprecation.
To be honest, this seems like a net positive to me, since it gives users a clear incentive to uninstall this sort of software. --Richard On Mon, Jan 4, 2016 at 3:19 AM, Daniel Holbert <dholb...@mozilla.com> wrote: > Heads-up, from a user-complaint/ support / "keep an eye out for this" > perspective: > * Starting January 1st 2016 (a few days ago), Firefox rejects > recently-issued SSL certs that use the (obsolete) SHA1 hash algorithm.[1] > > * For users who unknowingly have a local SSL proxy on their machine > from spyware/adware/antivirus (stuff like superfish), this may cause > *all* HTTPS pages to fail in Firefox, if their spyware uses SHA1 in its > autogenerated certificates. (Every cert that gets sent to Firefox will > use SHA1 and will have an issued date of "just now", which is after > January 1 2016; hence, the cert is untrusted, even if the spyware put > its root in our root store.) > > * I'm not sure what action we should (or can) take about this, but for > now we should be on the lookout for this, and perhaps consider writing a > support article about it if we haven't already. (Not sure there's much > help we can offer, since removing spyware correctly/completely can be > tricky and varies on a case by case basis.) > > (Context: I received a family-friend-Firefox-support phone call today, > who this had this exact problem. Every HTTPS site was broken for her in > Firefox, since January 1st. IE worked as expected (that is, it happily > accepts the spyware's SHA1 certs, for now at least). I wasn't able to > remotely figure out what the piece of spyware was or how to remove it -- > but the rejected certs reported their issuer as being "Digital Marketing > Research App" (instead of e.g. Digicert or Verisign). Googling didn't > turn up anything useful, unfortunately; so I suspect this is "niche" > spyware, or perhaps the name is dynamically generated.) > > Anyway -- I have a feeling this will be somewhat-widespread problem, > among users who have spyware (and perhaps crufty "secure browsing" > antivirus tools) installed. > > ~Daniel > > [1] > > https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-sha-1-based-signature-algorithms/ > _______________________________________________ > dev-platform mailing list > dev-platform@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-platform > _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
