Mozilla has joined the chorus of browser makers and technology companies no longer throwing their support behind the shaky SHA-1 hash algorithm.
Long considered vulnerable to attack, SHA-1 is already on hackers’ collective to-do list with experts predicting collision attacks practical within four years. Considering that academics have been poking at the algorithm for years, companies such as Google and Microsoft have decided the time for action has arrived, and in the last 12 months have begun preparing organizations for their imminent deprecation of SHA-1.
Mozilla was the latest to fall in line, yesterday asking Certificate Authorities and websites to upgrade certificates to SHA-256, SHA-384 or SHA-512, all exponentially stronger mathematically than SHA-1, and announcing that SHA-1 should not be trusted after Jan. 1, 2017. It urges CAs to no longer issue new SHA-1 certs and asked them to migrate customers off SHA-1 intermediate and end-entity certificates. Any SHA-1 certs issued for compatibility’s sake, Mozilla said, should expire before Jan. 1, 2017.
Almost two years ago, cryptography luminary Bruce Schneier published a blogpost that put SHA-1 on the clock, saying that collision attacks would be practical for a hacker by 2018. Citing calculations done by Jesse Walker based on the cost of commodity microprocessors and evidence that Moore’s law will extend another decade, server-cycle costs would be around $173,000 on Amazon, well within reach of a funded attacker such as an organized crime group or nation state.
“Collision attacks against the older MD5 hash algorithm have been used to obtain fraudulent certificates, so the improving feasibility of collision attacks against SHA-1 is concerning,” said Kathleen Wilson, a member of the Mozilla security engineering team. “In order to avoid the need for a rapid transition should a critical attack against SHA-1 be discovered, we are proactively phasing out SHA-1.”
Wilson said security warnings will be displayed encouraging developers to move to stronger certificates, and a more stern warning will be issued if the certificate in question is valid beyond Jan. 1, 2017.
“Since we will reject that certificate after that date, we plan to implement these warnings in the next few weeks, so they should be appearing in released versions of Firefox in early 2015,” Wilson said. “We may implement additional [user interface] indicators later.”
Some of those will include an “Untrusted Connection” error after Jan. 1, 2016 when a new SHA-1 certificate is found by Firefox. That same error will display after Jan. 1, 2017 for all remaining SHA-1 certificates in Firefox.
Two weeks ago, Google announced it was phasing out its support of SHA-1 certificates starting with a planned Chrome browser update in November.
Starting with Chrome 40, sites with certificate chains including SHA-1 which extend beyond Jan. 1, 2017 will be marked with a blank white sheet, the current visual display for “neutral, lacking security.” Chrome 41 will treat such sites as “affirmatively insecure,” a state indicated by a padlock with a red X on top of it and a red strike through the text that says HTTPS.
Last November, Microsoft began actively recommending developers move off SHA-1 and deprecate the RC4 cipher suite. Its developers will no longer be able to use SHA-1 in code signing or developer certs after Jan. 1, 2016.