Opened 4 years ago

Closed 3 years ago

#18042 closed task (fixed)

Make sure certificates signed with SHA-1 are not accepted anymore in ESR 45

Reported by: gk Owned by: tbb-team
Priority: High Milestone:
Component: Applications/Tor Browser Version:
Severity: Major Keywords: tbb-security, ff45-esr, tbb-6.0a5, TorBrowserTeam201604R
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

MOzilla released Firefox 43 which did not accept SHA-1 signed certificates anymore. However, this apparently broke some MITM boxes (https://blog.mozilla.org/security/2016/01/06/man-in-the-middle-interfering-with-increased-security/) and they released a point update reverting this change.

We don't want to have this security feature reverted and should make sure our ESR 45 based code is rejecting SHA-1 signed certificates as expected.

Child Tickets

Attachments (1)

0001-fixup-TB4-Tor-Browser-s-Firefox-preference-overrides.patch (995 bytes) - added by gk 3 years ago.

Download all attachments as: .zip

Change History (9)

comment:1 in reply to:  description Changed 4 years ago by bugzilla

The situation is much more complicated (even Mozilla released several out of schedule patches :)
It started from M$: they decided to deprecate SHA-1 for CAs from 2016.
So Mozilla had to update their products. But XP SP2, Vista (SP?), Win7 were incompatible with their solution, so they decided to split their development process into two trees: for newer and for older systems (no future updates on main branch since FF 43.0.1).
Thinking that deprecation will improve security, Mozilla decided to suppress SHA-1 in certificates (which is not required by M$). But a lot of software is still using it that leads to incompatibility, so another chemspill (43.0.4) was fired.

Summary: SHA-1 officially reported as weak but secured. CAs continue to issue SHA-1 certs, but must use SHA-2 certs for themselves.
Rejecting SHA-1 certs not optionally is definitely wrong solution.

Last edited 3 years ago by bugzilla (previous) (diff)

comment:2 Changed 3 years ago by gk

FWIW: This is basically done by setting security.pki.sha1_enforcement_level properly. See: https://bugzilla.mozilla.org/show_bug.cgi?id=1236975 for reverting the SHA-1 blocking and https://bugzilla.mozilla.org/show_bug.cgi?id=942515 for the implementation.

comment:3 Changed 3 years ago by bugzilla

Seems that Mozilla is planning to do it as you want - in their 45.0esr. (status-firefox-esr45: affected)
But comment https://bugzilla.mozilla.org/show_bug.cgi?id=942515#c56 greatly demonstrates that the situation with SHA-1 is far from seamless resolution.

Last edited 3 years ago by bugzilla (previous) (diff)

comment:4 Changed 3 years ago by gk

Keywords: tbb-6.0a5 added

comment:5 Changed 3 years ago by gk

Keywords: TorBrowserTeam201604 added

We want that for the alpha and the ESR 45 stable series.

comment:6 Changed 3 years ago by gk

Keywords: TorBrowserTeam201604R added; TorBrowserTeam201604 removed
Status: newneeds_review

Let's try that out in the upcoming alpha. Please review the attached patch.

comment:7 Changed 3 years ago by mcs

r=mcs
Looks good to me.

comment:8 Changed 3 years ago by gk

Resolution: fixed
Status: needs_reviewclosed

Fixed with commit 60916de81de12775e7d172b0cb46b9d71b3f6736.

Note: See TracTickets for help on using tickets.