Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Crypto

Mozilla continues the phasing out of 1024-bit SSL CA certificates

Mozilla products including the Firefox browser will stop trusting SSL certificates that were issued using old root CA certificates with 1024-bit RSA keys. Mozilla products including the popular Firefox browser will stop trusting SSL certificates that were issued using old root CA certificates with 1024-bit RSA keys. With this decision Mozilla wants to stress certificate authorities (CAs) […]

Mozilla continues the phasing out of 1024-bit SSL CA certificates

Mozilla products including the Firefox browser will stop trusting SSL certificates that were issued using old root CA certificates with 1024-bit RSA keys.

Mozilla products including the popular Firefox browser will stop trusting SSL certificates that were issued using old root CA certificates with 1024-bit RSA keys.

With this decision Mozilla wants to stress certificate authorities (CAs) and their customers to stop using 1024-bit certificates because that do not offer an adequate level of security due to technological advances. Mozilla has already announced that it will remove the following CA certificates from the next Firefox 36, which is scheduled to be released on February 24:
  • Verizon<iam-support@verizon.com>
    • CN = GTECyberTrust Global Root
      • SHA1 Fingerprint: 97:81:79:50:D8:1C:96:70:CC:34:D8:09:CF:79:44:31:36:7E:F4:74
  • Symantec
    • CN =Thawte Server CA
      • SHA1 Fingerprint: 23:E5:94:94:51:95:F2:41:48:03:B4:D5:64:D2:A3:A3:F5:D8:8B:8C
    • CN =Thawte Premium Server CA
      • SHA1 Fingerprint: 62:7F:8D:78:27:65:63:99:D2:7D:7F:90:44:C9:FE:B3:F3:3E:FA:9A
    • OU = Class 3 Public Primary Certification Authority – G2
      • SHA1 Fingerprint: 85:37:1C:A6:E5:50:14:3D:CE:28:03:47:1B:DE:3A:09:E8:F8:77:0F
    • CN =Equifax SecureeBusiness CA-1
      • SHA1 Fingerprint: DA:40:18:8B:91:89:A3:ED:EE:AE:DA:97:FE:2F:9D:F5:B7:D1:8A:41
“If you manage an SSL-enabled website, this change will not impact you if your certificates and the certificates above it have 2048-bit keys or more,” states a Mozilla security blog post. “If your SSL certificate has a 1024-bit key, or was issued by a certificate with a 1024-bit key, then you will need to get a new SSL certificate, and update the certificates in your Web server.”
It is important to highlight that owners of 2048-bit certificates that chain back to intermediate CA certificates with 1024-bit keys will be impacted by the decision of the company to migrating off of 1024-bit root certificates, they urge to update the certificate chain on their Web servers to include a 2048-bit intermediate from their certificate authority. A certificate authority uses one or more root certificates to sign the SSL certificates that are issuing them to customers, these CA digital certificates are included in operating systems, most popular web browser and other products that implements PKI infrastructure.

When a user access to a website it presents its SSL certificate that is verified on the client side by browser by using the above CA digital certificates.

Following the exclusion of the CA certificates starting from Firefox 36, the company and its products will no longer trust SSL certificates that chain back to the roots and users will present a message that inform them of an “untrusted connection error”.

Mozilla untrusted connection error CA Certificates

Mozilla has started the Phasing out Certificates with 1024-bit RSA Keys in September 2014, when the company excluded from the Firefox 32 CA certificates issued by EMC/RSA, Entrust, GoDaddy, NetLock, SECOM and Symantec / VeriSign.

“For many years, Mozilla, NIST, the CA/Browser Forum, and others have been encouraging Certification Authorities (CAs) to upgrade their 1024-bit RSA keys to a stronger cryptographic algorithm (either longer RSA keys or ECDSA)” states Mozilla in a previous post.  “We are actively working with CAs to retire SSL and Code Signing certificates that have 1024-bit RSA keys in an effort to make the upgrade as orderly as possible, and to avoid having system administrators find themselves in emergency mode because their SSL keys were compromised.”

Mozilla plan to conclude the phasing out of CA certificates in the first half of 2015, it has announced the removal of two more Equifax root certificates owned by Symantec, one of which is still “very widely used.”

Pierluigi Paganini

(Security Affairs – Mozilla, CA certificates)