When Firefox 32 shipped this week, Mozilla also officially ended its support of 1024-bit certificate authority certificates in its trusted store.
While it still takes a considerable amount of resources to factor and crack a 1024-bit RSA key, important organizations such as NIST have been advising organizations to move to 2048-bit keys or higher going as far back as 2011. Microsoft announced a change to its certificate key length requirements shortly thereafter, yet others including Google, have been slow to follow suit.
Mozilla’s move to deprecate 1024-bit certs in not only Firefox, but also in Thunderbird, is certainly welcome news. With state-sponsored targeted attacks ramping up, and the uncertainty over the NSA’s and others’ abilities in the intelligence community around cracking or subverting crypto, security experts urge organizations to put up higher barriers to keep hackers and the IC at bay.
Still, such a move does involve some cost and angst to websites running older certificates. Rapid7’s Project Sonar, an initiative built by Metasploit creator and Rapid7 CSO HD Moore, is an ongoing scan of the public Internet. Scan data can be organized and studied in a multitude of ways, and Moore recently decided to do some number-crunching on 1024-bit intermediate certificates affected by Mozilla’s change.
In a report delivered yesterday, Moore answered two sets of questions: How may sites are affected and how long 1024-bit CA key signed certificates would be in use.
The results were mixed, Moore said. Project Sonar indexes close to 20 million websites, and the scan listed 107,535 sites using a cert signed by what will soon be an untrusted CA certificate, half a percent of the websites in the Project Sonar database. Grouping those 107,000-plus sites by certificate expiration date, the results show that 76,185 certificates had expired as of Aug. 25; of the 65 million certificates in the total scan, 845,599 had expired but were still in use as of Aug. 25, Moore said.
“All major browsers will alert users of a site using an expired certificate, and of the 107k affected, only 30k were not expired, and so would no longer be trusted by Mozilla as a result of their recent change,” Moore said. “Users can choose to ignore an expired certificate in most browsers, but the dialogs presented to the user look similar to any other invalid certificate. Unfortunately, most people will click through anyway.”
Moore said that factoring a 1024-bit RSA key can be done for much less than the $1 billion estimate Daniel J. Bernstein surmised 13 years ago.
“Technology has moved quickly since and it may be possible to factor 1024-bit RSA keys for a much lower cost today. It would still be in the window of ‘nation state’ or ‘all of Amazon Web Services,’ and likely over $100M of hardware, not to mention power, space, and cooling,” Moore said. “The question then becomes, if you could factor a 1024-bit RSA key, which one would you target? The answer that provides the most value for the dollar is a 1024-bit CA certificate, as it would let you impersonate any web site and conduct large-scale man-in-the-middle attacks.”
Moore cautioned, however, that there could be mitigating circumstances where a 1024-bit CA certificate could still be trusted.
“Determining who would be affected ended up being much more complicated than we initially thought. Mozilla, even with their recent change, still has seven 1024-bit CA certificates in their trusted store, and according to a discussion with a Chromium developer, their removal of the other certificates may not have been effective,” Moore explained. “Depending on how the certificate chain is constructed, there is a chance that Mozilla may still trust a 1024-bit CA key by proxy (however, we don’t have an example to work from that demonstrates that).”
Moore said he could stand behind his findings that sites the Project Sonar scan turned up would not be trusted, but that the same could not be said for a site with a different certificate chain that still involves an older 1024-bit certificate.
Chrome is the remaining browser of the big three to fall in line. Moore said removing old certificates is only part of the solution for Google, whose browser also implements certificate pinning. Google’s Certificate Transparency project and its efforts to revamp OpenSSL are also important steps forward, he said.
“From recent conversations on Twitter, it sounds like the Chromium project [Chrome’s open source base] developers want to remove 1024-bit CA certificates as soon as possible, but are still concerned about the number of web sites that would be affected,” Moore said.