On Mon, Jan 4, 2016 at 12:31 PM, Bobby Holley <bobbyhol...@gmail.com> wrote:
> On Mon, Jan 4, 2016 at 9:11 AM, Richard Barnes <rbar...@mozilla.com> > wrote: > >> Hey Daniel, >> >> Thanks for the heads-up. This is a useful thing to keep in mind as we >> work >> through the SHA-1 deprecation. >> >> To be honest, this seems like a net positive to me, since it gives users a >> clear incentive to uninstall this sort of software. >> > > By "this sort of software" do you mean "Firefox"? Because that's what 95% > of our users experiencing this are going to do absent anything clever on > our end. > > We clearly need to determine the scale of the problem to determine how > much time it's worth investing into this. But I think we should assume that > an affected user is a lost use in this case. > I was being a bit glib because I think in a lot of cases, it won't be just Firefox that's affected -- all of the user's HTTPS will quit working, across all browsers. I agree that it would be good to get more data here. I think Adam is on the right track. --Richard > > bholley > > > >> >> --Richard >> >> On Mon, Jan 4, 2016 at 3:19 AM, Daniel Holbert <dholb...@mozilla.com> >> wrote: >> >> > Heads-up, from a user-complaint/ support / "keep an eye out for this" >> > perspective: >> > * Starting January 1st 2016 (a few days ago), Firefox rejects >> > recently-issued SSL certs that use the (obsolete) SHA1 hash >> algorithm.[1] >> > >> > * For users who unknowingly have a local SSL proxy on their machine >> > from spyware/adware/antivirus (stuff like superfish), this may cause >> > *all* HTTPS pages to fail in Firefox, if their spyware uses SHA1 in its >> > autogenerated certificates. (Every cert that gets sent to Firefox will >> > use SHA1 and will have an issued date of "just now", which is after >> > January 1 2016; hence, the cert is untrusted, even if the spyware put >> > its root in our root store.) >> > >> > * I'm not sure what action we should (or can) take about this, but for >> > now we should be on the lookout for this, and perhaps consider writing a >> > support article about it if we haven't already. (Not sure there's much >> > help we can offer, since removing spyware correctly/completely can be >> > tricky and varies on a case by case basis.) >> > >> > (Context: I received a family-friend-Firefox-support phone call today, >> > who this had this exact problem. Every HTTPS site was broken for her in >> > Firefox, since January 1st. IE worked as expected (that is, it happily >> > accepts the spyware's SHA1 certs, for now at least). I wasn't able to >> > remotely figure out what the piece of spyware was or how to remove it -- >> > but the rejected certs reported their issuer as being "Digital Marketing >> > Research App" (instead of e.g. Digicert or Verisign). Googling didn't >> > turn up anything useful, unfortunately; so I suspect this is "niche" >> > spyware, or perhaps the name is dynamically generated.) >> > >> > Anyway -- I have a feeling this will be somewhat-widespread problem, >> > among users who have spyware (and perhaps crufty "secure browsing" >> > antivirus tools) installed. >> > >> > ~Daniel >> > >> > [1] >> > >> > >> https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-sha-1-based-signature-algorithms/ >> > _______________________________________________ >> > dev-platform mailing list >> > dev-platform@lists.mozilla.org >> > https://lists.mozilla.org/listinfo/dev-platform >> > >> _______________________________________________ >> dev-platform mailing list >> dev-platform@lists.mozilla.org >> https://lists.mozilla.org/listinfo/dev-platform >> > > _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
