First a bit of good news: The overall trend line for SHA-1 errors is not spiking (yet). Bin 6 of SSL_CERT_VERIFICATION_ERRORS corresponds to ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED, which is what you get when you reject a bad SHA-1 cert.
https://ipv.sx/telemetry/general-v2.html?channels=beta%20release&measure=SSL_CERT_VERIFICATION_ERRORS&target=6 Now for the bad news: Telemetry is actually useless for the specific case we're talking about here. Telemetry is submitted over HTTPS (about:config / toolkit.telemetry.server), so measurements from affected clients will never reach the server. So we can't get any measurements unless we revert the SHA-1 intolerance. Given this, I'm sort of inclined to do that, collect some data, then maybe re-enable it in 45 or 46. What do others think? --Richard On Mon, Jan 4, 2016 at 1:43 PM, Richard Barnes <rbar...@mozilla.com> wrote: > > > On Mon, Jan 4, 2016 at 12:31 PM, Bobby Holley <bobbyhol...@gmail.com> > wrote: > >> On Mon, Jan 4, 2016 at 9:11 AM, Richard Barnes <rbar...@mozilla.com> >> wrote: >> >>> Hey Daniel, >>> >>> Thanks for the heads-up. This is a useful thing to keep in mind as we >>> work >>> through the SHA-1 deprecation. >>> >>> To be honest, this seems like a net positive to me, since it gives users >>> a >>> clear incentive to uninstall this sort of software. >>> >> >> By "this sort of software" do you mean "Firefox"? Because that's what 95% >> of our users experiencing this are going to do absent anything clever on >> our end. >> >> We clearly need to determine the scale of the problem to determine how >> much time it's worth investing into this. But I think we should assume that >> an affected user is a lost use in this case. >> > > I was being a bit glib because I think in a lot of cases, it won't be just > Firefox that's affected -- all of the user's HTTPS will quit working, > across all browsers. > > I agree that it would be good to get more data here. I think Adam is on > the right track. > > --Richard > > >> >> bholley >> >> >> >>> >>> --Richard >>> >>> On Mon, Jan 4, 2016 at 3:19 AM, Daniel Holbert <dholb...@mozilla.com> >>> wrote: >>> >>> > Heads-up, from a user-complaint/ support / "keep an eye out for this" >>> > perspective: >>> > * Starting January 1st 2016 (a few days ago), Firefox rejects >>> > recently-issued SSL certs that use the (obsolete) SHA1 hash >>> algorithm.[1] >>> > >>> > * For users who unknowingly have a local SSL proxy on their machine >>> > from spyware/adware/antivirus (stuff like superfish), this may cause >>> > *all* HTTPS pages to fail in Firefox, if their spyware uses SHA1 in its >>> > autogenerated certificates. (Every cert that gets sent to Firefox will >>> > use SHA1 and will have an issued date of "just now", which is after >>> > January 1 2016; hence, the cert is untrusted, even if the spyware put >>> > its root in our root store.) >>> > >>> > * I'm not sure what action we should (or can) take about this, but for >>> > now we should be on the lookout for this, and perhaps consider writing >>> a >>> > support article about it if we haven't already. (Not sure there's much >>> > help we can offer, since removing spyware correctly/completely can be >>> > tricky and varies on a case by case basis.) >>> > >>> > (Context: I received a family-friend-Firefox-support phone call today, >>> > who this had this exact problem. Every HTTPS site was broken for her >>> in >>> > Firefox, since January 1st. IE worked as expected (that is, it happily >>> > accepts the spyware's SHA1 certs, for now at least). I wasn't able to >>> > remotely figure out what the piece of spyware was or how to remove it >>> -- >>> > but the rejected certs reported their issuer as being "Digital >>> Marketing >>> > Research App" (instead of e.g. Digicert or Verisign). Googling didn't >>> > turn up anything useful, unfortunately; so I suspect this is "niche" >>> > spyware, or perhaps the name is dynamically generated.) >>> > >>> > Anyway -- I have a feeling this will be somewhat-widespread problem, >>> > among users who have spyware (and perhaps crufty "secure browsing" >>> > antivirus tools) installed. >>> > >>> > ~Daniel >>> > >>> > [1] >>> > >>> > >>> https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-sha-1-based-signature-algorithms/ >>> > _______________________________________________ >>> > dev-platform mailing list >>> > dev-platform@lists.mozilla.org >>> > https://lists.mozilla.org/listinfo/dev-platform >>> > >>> _______________________________________________ >>> dev-platform mailing list >>> dev-platform@lists.mozilla.org >>> https://lists.mozilla.org/listinfo/dev-platform >>> >> >> > _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
