Reversing its earlier stand of disallowing SHA-1 certificates, Firefox announced that it has temporality re-enabled support for SHA-1 certificates in its latest version. The move comes after the company noticed that some man-in-the-middle” devices (including some security scanners and antivirus products), could not access HTTPS web sites after Firefox 43 began rejecting new certificates signed with the SHA-1 digest algorithm from January 1 new year.
For long IT experts have voiced their opinion that SHA-1 cryptographic algorithm could make PC’s vulnerable to hacking and malware attacks. Companies such as Microsoft, Google and Mozilla have also announced that their respective browsers will stop accepting SHA-1 SSL certificates by 2017. However, the fact that many companies might still be using self-generated SHA-1 certificates internally, a complete ban on SHA-1 looks impossible.
Richard Barnes, security engineer at Mozilla, mentioned at the blog post,
The latest version of Firefox re-enables support for SHA-1 certificates to ensure that we can get updates to users behind man-in-the-middle devices, and enable us to better evaluate how many users might be affected. Vendors of TLS man-in-the-middle systems should be working to update their products to use newer digest algorithms.
Google was the first of the IT giant to acknowledge the difficulty in phasing out SHA-1 completely and the Search Engine giant would be banning certificate only that originate from public certificate authorities.
SHA-2 is the most secure, but SHA-1 still exist
Though many websites have upgraded to use the more secure SHA-2, there are still a sizeable number of users having browsers which don’t accept SHA-2. Had Firefox and other browser companies insisted on the SHA-1 ban, it would have shunted out millions of users out from encrypted web.
Facebook chief security officer Alex Stamos said in a December blog post that even though supports the banning of SHA-1 certificates, the company does not “think it’s right to cut tens of millions of people off from the benefits of the encrypted Internet.” The move could mean that almost 37million users would face problems said CloudFlare chief executive Matthew Prince. The majority of these people are from China.
Mozilla says that those affected with SHA-1issue are advised to download the latest version of Firefox from another browser since Firefox provides updates over just HTTPS.
On banning SHA-1 completely on Firefox, the company says it is soon going to do that but remains non-committal on the exact date of enforcement.