On Mon, Jan 4, 2016 at 9:11 AM, Richard Barnes <rbar...@mozilla.com> wrote:
> Hey Daniel, > > Thanks for the heads-up. This is a useful thing to keep in mind as we work > through the SHA-1 deprecation. > > To be honest, this seems like a net positive to me, since it gives users a > clear incentive to uninstall this sort of software. > By "this sort of software" do you mean "Firefox"? Because that's what 95% of our users experiencing this are going to do absent anything clever on our end. We clearly need to determine the scale of the problem to determine how much time it's worth investing into this. But I think we should assume that an affected user is a lost use in this case. bholley > > --Richard > > On Mon, Jan 4, 2016 at 3:19 AM, Daniel Holbert <dholb...@mozilla.com> > wrote: > > > Heads-up, from a user-complaint/ support / "keep an eye out for this" > > perspective: > > * Starting January 1st 2016 (a few days ago), Firefox rejects > > recently-issued SSL certs that use the (obsolete) SHA1 hash algorithm.[1] > > > > * For users who unknowingly have a local SSL proxy on their machine > > from spyware/adware/antivirus (stuff like superfish), this may cause > > *all* HTTPS pages to fail in Firefox, if their spyware uses SHA1 in its > > autogenerated certificates. (Every cert that gets sent to Firefox will > > use SHA1 and will have an issued date of "just now", which is after > > January 1 2016; hence, the cert is untrusted, even if the spyware put > > its root in our root store.) > > > > * I'm not sure what action we should (or can) take about this, but for > > now we should be on the lookout for this, and perhaps consider writing a > > support article about it if we haven't already. (Not sure there's much > > help we can offer, since removing spyware correctly/completely can be > > tricky and varies on a case by case basis.) > > > > (Context: I received a family-friend-Firefox-support phone call today, > > who this had this exact problem. Every HTTPS site was broken for her in > > Firefox, since January 1st. IE worked as expected (that is, it happily > > accepts the spyware's SHA1 certs, for now at least). I wasn't able to > > remotely figure out what the piece of spyware was or how to remove it -- > > but the rejected certs reported their issuer as being "Digital Marketing > > Research App" (instead of e.g. Digicert or Verisign). Googling didn't > > turn up anything useful, unfortunately; so I suspect this is "niche" > > spyware, or perhaps the name is dynamically generated.) > > > > Anyway -- I have a feeling this will be somewhat-widespread problem, > > among users who have spyware (and perhaps crufty "secure browsing" > > antivirus tools) installed. > > > > ~Daniel > > > > [1] > > > > > https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-sha-1-based-signature-algorithms/ > > _______________________________________________ > > dev-platform mailing list > > dev-platform@lists.mozilla.org > > https://lists.mozilla.org/listinfo/dev-platform > > > _______________________________________________ > dev-platform mailing list > dev-platform@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-platform > _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
