ThorstenSchmitt - Fotolia

Mozilla set to dump SHA-1 certificates by early 2017

Roundup: Firefox browser will reject SHA-1 certificates as soon as Mozilla announces further details relating to the deprecation of the outdated algorithm; plus, Oracle patches and more.

Mozilla wants the world to know just how insecure the SHA-1 hashing algorithm is.

Starting in early 2017, Mozilla browsers will show an "untrusted connection" error -- which can be overridden by the user -- when they encounter SHA-1 certificates that chain up to a root certificate included in Mozilla's CA Certificate Program. Mozilla had announced plans last year to phase out support for certificates signed with the SHA-1 algorithm, which has been criticized by many infosec experts and technology companies in recent years.

The announcement should come as no surprise, as Microsoft and Google have also been beating the drum to deprecate SHA-1 support in the companies' leading browsers over the past year. Mozilla's action follows announcements from both Microsoft and Google calling for blocking SHA-1-signed Transport Layer Security certificates by the start of 2017. Experts say the cost of compromising SHA-1 with a collision attack continues to drop and could already be within reach of cybercriminals with deep pockets.

Mozilla wrote, "SHA-1 certificates that chain up to a manually-imported root certificate, as specified by the user, will continue to be supported by default; this will continue allowing certain enterprise root use cases, though we strongly encourage everyone to migrate away from SHA-1 as quickly as possible."

The new policy will be incorporated into Firefox 51, with deprecation of SHA-1 enabled for beta users starting as early as Nov. 7; Firefox 51 is scheduled for general release in January 2017.

In other news

  • Oracle's October Critical Patch Update (CPU) includes fixes for a whopping 253 vulnerabilities, the second largest batch ever for one of Oracle's quarterly patch releases. Members of the research team at ERPScan, an application security firm based in Palo Alto, Calif., told SearchSecurity by email this CPU addresses security issues in business-critical applications from Oracle. "For example, Oracle E-Business Suite has the highest number of updates among mission-critical software (a total of 21) issues, where 11 are assessed as high. Fourteen of them can be exposed online, providing an entry point for remote attackers." A critical vulnerability was patched in the Oracle HTTP Server, which is part of Oracle's E-Business Suite. "The vulnerability is assessed as critical and, according to Oracle's advisory, allows [an] unauthenticated attacker with network access via HTTP to compromise Oracle HTTP Server, which can result in complete DoS [denial of service] of the component."
  • After the FBI lifted a gag order on Google relating to a National Security Letter (NSL) it issued in the second half of 2015, the search giant updated its transparency report to show it received at least one NSL during that time period. Richard Salgado, Google's director for law enforcement and information security, wrote that "pursuant to the USA Freedom Act, the FBI lifted a gag restriction on an NSL issued in the second half of 2015. To reflect this, we have updated the range of NSLs received in that period -- July to December 2015 -- from 0-499 to 1-499." Google also received an increase in the number of requests made under the Foreign Intelligence Surveillance Act compared to the first half of 2015, jumping from between 16,000 and 16,499 requests to between 21,000 and 21,499 requests. Salgado noted that "the USA Freedom Act authorizes companies like Google to report these figures in ranges, but not precise numbers."
  • Two-year old Android malware Ghost Push is still infecting devices, according to research from Cheetah Mobile, a mobile internet company based in Beijing. Ghost Push can infect Android devices running any version of the OS up to and including version 5 -- Lollipop. That means as many as 57% of Android devices are still vulnerable to the malware, which can root devices and which is spread through deceptive advertising and pornographic websites. The researchers wrote: "The malicious behaviors of this Trojan are basically the same with other Trojans in the family. Generally speaking, the number of users infected is small. However, the Trojans are able to root the infected phones and cooperate with each other to install more malware in users' phones. They also trick users into downloading malware with pornographic things and deceptive pages." The researchers advised users to "avoid clicking unknown third-party links and only download applications from reputable app stores." Failing that, they added, "Another solution is to update the device to Android 6.0."
  • Quarkslab published its security audit of open source on-the-fly encryption software VeraCrypt version 1.18. The audit uncovered eight critical vulnerabilities, as well as three medium and 15 low vulnerabilities. "VeraCrypt is much safer after this audit, and the fixes applied to the software mean that the world is safer when using this software," OSTIF wrote, adding that the publication of the audit report was timed to coincide with the release of an update, version 1.19, which fixes most of the bugs. "Some of these issues have not been fixed due to high complexity for the proposed fixes, but workarounds have been presented in the documentation for VeraCrypt."
  • In election news, Liverpool, U.K.-based security researcher Kevin Beaumont reported email servers running at Republican candidate Donald Trump's businesses had some huge problems, as he tweeted that Trump corporate email servers were "all internet-accessible, single-factor auth [authentication], no MDM [mobile device management], Win2003, no security patching." Microsoft stopped supporting Windows 2003 over a year ago, and Motherboard reported the servers were running Microsoft's also end-of-lifed IIS 6.0 servers.

Next Steps

Find out more about why SHA-1 is being undermined as a reliable algorithm.

Learn why Mozilla dropped WoSign as a trusted certificate authority.

Read about the importance of migration from SHA-1 to SHA-2.

Dig Deeper on PKI and digital certificates