Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Encryption Mozilla The Internet

Mozilla 1024-Bit Cert Deprecation Leaves 107,000 Sites Untrusted 67

msm1267 writes: Mozilla has deprecated 1024-bit RSA certificate authority certificates in Firefox 32 and Thunderbird. While there are pluses to the move such as a requirement for longer, stronger keys, at least 107,000 websites will no longer be trusted by Mozilla. Data from HD Moore's Project Sonar, which indexes more than 20 million websites, found 107,535 sites using a cert signed by what will soon be an untrusted CA certificate. Grouping those 107,000-plus sites by certificate expiration date, the results show that 76,185 certificates had expired as of Aug. 25; of the 65 million certificates in the total scan, 845,599 had expired but were still in use as of Aug. 25, Moore said.
This discussion has been archived. No new comments can be posted.

Mozilla 1024-Bit Cert Deprecation Leaves 107,000 Sites Untrusted

Comments Filter:
  • by NotInHere ( 3654617 ) on Friday September 05, 2014 @04:31PM (#47837895)

    that slashdot wasn't affected by this.

  • by jandrese ( 485 ) <kensama@vt.edu> on Friday September 05, 2014 @04:33PM (#47837921) Homepage Journal
    It sounds from the writeup like most of the sites in question are defunct and that's why they're using out of date crypto. Few sites that people actually visit would appear to be affected.
  • hackers, start your engines...

    • by Charliemopps ( 1157495 ) on Friday September 05, 2014 @05:31PM (#47838271)

      hackers, start your engines...

      No ones every managing them. These things are like domain names... they cost pennies and last for years... so despite their importance they fall to the bottom of businesses radar. A place I worked at a few years ago let their multi-million dollar domain expire. The registrar had been sending emails to an employee that had no longer worked there for quite a while...

      The end result? It went down on a Sunday, and one of our hourly tech support guys (Making about $10/hr at the time) figured out what happened and registered the domain on his personal credit card and redirected it because he didn't know who to call. He got dinner out with the president of the company who shook his hand, asked him politely if he'd mind transferring the domain back to the company, which he did.

      That guy, years later, ended up being my boss and making six figures. It pays to be clever on occasion. He always joked that the company could have sued him for what he did to get the domain back anyway but he was impressed the president thanked him and asked for it back personally.

      • by corychristison ( 951993 ) on Friday September 05, 2014 @09:20PM (#47839205)

        Was the domain being used? Or just squatting on it?

        If you were actively using it, and it expired, you have a grace period of anywhere from 30 days to 90 days depending on the TLD, when this happened and who the registrar was/is.

        With that said, your point is completely valid. Domain names, SSL certificates, and hosting accounts tend to be forgotten. I own a web design/development/hosting company. We actively maintain records of who we need to be dealing with, as well as their managers in the event our contact stops responding. As well, we introduced a fully managed service in which we manage everything for our clients, and we send them a single monthly invoice. Because it is billed every month, their services continue to Just Workâ, and in turn we are keeping consistent contact with them.

        We have had the most problems with non-profit organizations. They are typically volunteer run, with a high turn over rate.

  • FTFA (Score:5, Insightful)

    by Bill, Shooter of Bul ( 629286 ) on Friday September 05, 2014 @04:45PM (#47838011) Journal

    “All major browsers will alert users of a site using an expired certificate, and of the 107k affected, only 30k were not expired, and so would no longer be trusted by Mozilla as a result of their recent change,”

    So not 107K, only 30k. And that's not a real issue. The browsers are correct, the connection isn't secure at 1024. People can complain as much as they want, trust is not something that is eternally granted without condition.

    • Re:FTFA (Score:4, Insightful)

      by thegarbz ( 1787294 ) on Friday September 05, 2014 @05:57PM (#47838403)

      trust is not something that is eternally granted without condition.

      The condition being to grease the palms of a third party?

      • I really don't understand people's hang up with the fee. Certs are cheap as hell. I understand they don't really do that much to verify any one's identity, but its so freaking cheap.

        How much abuse is there with fake certificates being issued? I've only heard about a couple of cases. Its better than nothing, and certainly worth the small amount of money.

        • So are you saying that money buys trust? How cynical. Let's see how well that goes down in the future.

          The whole SSL ecosystem is based on the fact that you can absolutely trust the certificate authorities. The corollary to this is that, if a single CA is breached, then the whole system becomes untrustworthy. I'm confused as to why most of us still refuse to see that. Propoganda and disinformation? Well, the SSL world definitely represents a huge business, and it's clear none of its stakeholders is willing

          • "So are you saying that money buys trust"

            No.

            "The whole SSL ecosystem is based on the fact that you can absolutely trust the certificate authorities."

            No, it isn't. Trust is not absolute. Learn this. Please.

    • by bondsbw ( 888959 )

      People can complain as much as they want

      Yep, that about sums up the Internet.

      • by skids ( 119237 )

        People can complain as much as they want

        Yep, that about sums up the Internet.

        Only half. The other half is "and still get screwed over."

        The cert authorities as a whole, following NIST recommendations, decided to not just stop issuing 1024 certs, but also to revoke their 1024 root certs, so anything checking CRLs would just break. Months before the actual deadline. They could have just let those certs run out on schedule, but that wasn't good enough for NIST. Moreso, they could have only sold them such that they ran out on schedule (we were sold a 5-year 1024bit cert in 2009 when

    • Yes. It's being dropped because it gave the illusion of security without the actuality.

      Unfortunately, a LOT of very public websites are running on old expired certs, which isn't really any better.

      People need to stop thinking that "software doesn't wear out" - meaning in this case, the security vouchers. Bits may remain unchanged, but the world does not, and if you expect the entire cost of the system is what you paid for at the "cash register" without accounting for ongoing maintenance, you're a fool.

  • An unavoidable side effect of trusting less is that you trust less. In this case, ancient websites using outdated crypto, won't be trusted. Most of which already are no longer trusted due to expired certificates.

  • by Streetlight ( 1102081 ) on Friday September 05, 2014 @04:56PM (#47838061) Journal
    1. If all these sites renew or get proper certificates it'll be a big improvement in cash for the Certificate Authorities.

    2. Maybe most of these un-certificated sites will disappear, though it won't mean much for internet congestion if most are not accessed anyway.

    3. Maybe swschard's comment that hackers will have a field day is true, although to what benefit to hackers or detriment to site users?
  • Good (Score:4, Interesting)

    by Threni ( 635302 ) on Friday September 05, 2014 @04:57PM (#47838067)

    A browser not trusting something that's not to be trusted is a positive thing. Yes, some old sites will suffer. That's how it's supposed to work. They'd better up their game. People expect security to be take more seriously these days, as there is more at stake and more muppets with a lot of time on their hands trying to attack you.

    • by Anonymous Coward

      I agree, but the danger is that when people see more and more security warnings for sites that they trust or that seem legitimate, they will learn to click through all warnings. Non-browser-related example (because who in their right mind would run Java in a browser): For every Java update I get a "revocation information not available" error. Apparently Oracle can't handle their certificates appropriately. They're not likely to fix it. What should I do? Of course I click through it, because an old Java vers

      • "they will learn to click through all warnings". Kinda Vista's UAC did for Windows users. Besides, people will go to great lenghts to see lolcats.

  • by Skuld-Chan ( 302449 ) on Friday September 05, 2014 @05:01PM (#47838089)

    Firefox doesn't support the OS's built in certificate stores, which makes it a really big pain in the ass to manage certs yourself (like if your managing certs for firefox users at your company) - you basically have to compile certutil and write all kinds of fun scripts for client devices.

    If firefox let me co-manage certs I could just re-add the deprecated cert :).

    • by Anonymous Coward

      And that's probably why they don't, captcha prorate

    • Firefox is becoming a real pain in the ass when it comes to certs. I can see displaying a "ZOMG!!! WARNING!!!" when trying to load a low-bit cert, but it fails completely, which makes it unusable for managing more and more enterprise appliances, some of them being brand new. One could go to each and every appliance and LOM module and generate a new high-bit cert but if you've got enough of them in your data center it's a royal pain in the ass to do so.

      The solution? Use any browser other than firefox.

      • by Anonymous Coward

        Actually, I like the way that Firefox manages CA.

        Where I work, they have pushed CA's to PCs. When I connect to https://mail.google.com, and several other sites, in IE or Chrome, no warning. The company's MITB computer is not detected. When I connect with Firefox, I get the proper warning.

        Of course, most people think that Firefox is the problem and prefer Chrome until I explain what's really going on. If I want to add the company's CA manually, I can but at least it's my choice.

  • you'll never know how many you can't trust.

  • Math. (Score:4, Insightful)

    by msauve ( 701917 ) on Friday September 05, 2014 @05:13PM (#47838155)
    "Grouping those 107,000-plus sites by certificate expiration date, the results show that 76,185 certificates had expired as of Aug. 25"

    So, the headline should really say 31,000, since 76,000 shouldn't be trusted regardless of what Mozilla does.
    • by afidel ( 530433 )

      It's much more important than the 31k affected sites, 1024 roots are weak enough targets that just about any nation state and many crime syndicates can create a flood of valid and trusted certs just by factoring the private key of that one CA cert.

      • by msauve ( 701917 )
        "It's much more important than the 31k affected sites"

        If there are only 31K affected sites, how can it be "more important" than that? The rationalization you give only applies to sites with 1024 roots, which has been stipulated to be those 31K. Where's the "more?"
  • Meh! (Score:2, Insightful)

    by Anonymous Coward

    So basically the net effect will be another warning page to click through when visiting the sites in question? Do end users really know what any of this stuff really menas?

  • Seriously, how does this effect web browsing for the average Joe?

    • by Nimey ( 114278 )

      If you visit an affected website in Firefox 32+ it'll warn you about the SSL certificate and you'll have to take a couple extra steps to visit it. For you it's an inconvenience, but only if you use one of these sites. For the website operator maybe it'll shame them into getting an updated certificate.

    • Comment removed based on user account deletion
  • by Anonymous Coward

    RSA-1024 are still safe, despite what many fearmongers have been preaching for years. It was only a few days ago
    (http://www.newscientist.com/article/dn26135-factorisation-factory-smashes-numbercracking-record.html?cmpid=RSS|NSNS|2012-GLOBAL|online-
    news#.VAXRfDzYvyF) that a new factorization record was announced. It is a roughly 1,024-bit integer - but it took 2000 high end-PC years, and it is a Mersenne integer - orders of magnitude easier to factorize than an integer of similar size obtained as the product

    • by Dahan ( 130247 ) <khym@azeotrope.org> on Saturday September 06, 2014 @04:17AM (#47840007)
      Who cares how many "high end-PC years" it took? Nobody's going to try to factor a 1024-bit modulus using a single high-end PC. It took 4 actual years to factor 10 numbers. And why do you think someone who wants to factor the RSA modulus for a 1024-bit CA cert would have waited until today to start the process? Those certs have been around for over 10 years; if someone with enough computing power wanted to factor one, they could be done by now.
  • Remember that the exponential math in DH and RSA is called a HARD problem, not and impossible one. Consider that regarding key strength 1024 bits of RSA is not very secure in today's world. I'm not saying it's cracked... Just weak.

Think lucky. If you fall in a pond, check your pockets for fish. -- Darrell Royal

Working...