On Mon, Jan 4, 2016 at 9:31 AM, Bobby Holley <bobbyhol...@gmail.com> wrote:
> On Mon, Jan 4, 2016 at 9:11 AM, Richard Barnes <rbar...@mozilla.com> > wrote: > > > Hey Daniel, > > > > Thanks for the heads-up. This is a useful thing to keep in mind as we > work > > through the SHA-1 deprecation. > > > > To be honest, this seems like a net positive to me, since it gives users > a > > clear incentive to uninstall this sort of software. > > > > By "this sort of software" do you mean "Firefox"? Because that's what 95% > of our users experiencing this are going to do absent anything clever on > our end. > > We clearly need to determine the scale of the problem to determine how much > time it's worth investing into this. But I think we should assume that an > affected user is a lost use in this case. > I believe that Chrome will be making a similar change at a similar time -Ekr > bholley > > > > > > > --Richard > > > > On Mon, Jan 4, 2016 at 3:19 AM, Daniel Holbert <dholb...@mozilla.com> > > wrote: > > > > > Heads-up, from a user-complaint/ support / "keep an eye out for this" > > > perspective: > > > * Starting January 1st 2016 (a few days ago), Firefox rejects > > > recently-issued SSL certs that use the (obsolete) SHA1 hash > algorithm.[1] > > > > > > * For users who unknowingly have a local SSL proxy on their machine > > > from spyware/adware/antivirus (stuff like superfish), this may cause > > > *all* HTTPS pages to fail in Firefox, if their spyware uses SHA1 in its > > > autogenerated certificates. (Every cert that gets sent to Firefox will > > > use SHA1 and will have an issued date of "just now", which is after > > > January 1 2016; hence, the cert is untrusted, even if the spyware put > > > its root in our root store.) > > > > > > * I'm not sure what action we should (or can) take about this, but for > > > now we should be on the lookout for this, and perhaps consider writing > a > > > support article about it if we haven't already. (Not sure there's much > > > help we can offer, since removing spyware correctly/completely can be > > > tricky and varies on a case by case basis.) > > > > > > (Context: I received a family-friend-Firefox-support phone call today, > > > who this had this exact problem. Every HTTPS site was broken for her > in > > > Firefox, since January 1st. IE worked as expected (that is, it happily > > > accepts the spyware's SHA1 certs, for now at least). I wasn't able to > > > remotely figure out what the piece of spyware was or how to remove it > -- > > > but the rejected certs reported their issuer as being "Digital > Marketing > > > Research App" (instead of e.g. Digicert or Verisign). Googling didn't > > > turn up anything useful, unfortunately; so I suspect this is "niche" > > > spyware, or perhaps the name is dynamically generated.) > > > > > > Anyway -- I have a feeling this will be somewhat-widespread problem, > > > among users who have spyware (and perhaps crufty "secure browsing" > > > antivirus tools) installed. > > > > > > ~Daniel > > > > > > [1] > > > > > > > > > https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-sha-1-based-signature-algorithms/ > > > _______________________________________________ > > > dev-platform mailing list > > > dev-platform@lists.mozilla.org > > > https://lists.mozilla.org/listinfo/dev-platform > > > > > _______________________________________________ > > dev-platform mailing list > > dev-platform@lists.mozilla.org > > https://lists.mozilla.org/listinfo/dev-platform > > > _______________________________________________ > dev-platform mailing list > dev-platform@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-platform > _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
