Firefox ban on SHA-1 dropped after many locked out of HTTPS sites

Mozilla reinstates support for the vulnerable SHA-1 crypto on a temporary basis until it can figure out how to avoid some unintended side effects.
Written by Zack Whittaker, Contributor
Millions have already see this from new year. (Image: ZDNet/CBS Interactive)

Mozilla has temporarily reinstated support for a vulnerable cryptographic algorithm after some Firefox users were unable to access encrypted HTTPS websites.

The browser maker blamed the unintended consequence of deprecating support for SHA-1 certificates on man-in-the-middle devices, such as security scanners and anti-virus products.

In a blog post, security engineer Richard Barnes explained that most Firefox users aren't affected, and those who are can simply upgrade to the latest version of Firefox -- version 43.0.4, released on Wednesday -- to fix the problem.

"When a user tries to connect to an HTTPS site, the man-in-the-middle device sends Firefox a new SHA-1 certificate instead of the server's real certificate," Barnes explained.

"Since Firefox rejects new SHA-1 certificates, it can't connect to the server," he added.

The good news is that you can tell if you're affected by visiting Mozilla's security blog. If you are, you can upgrade from its website.

The bad news is that this wasn't exactly unexpected.

Mozilla's missed million

For months, it's been known that SHA-1 certificates would effectively start lighting up with warnings from January 1. That's because SHA-1 is on the verge of being cracked, making the algorithm useless. Most websites have already updated to using the newer SHA-2 certificates. But a small though sizable portion of the internet's users still don't have browsers or devices that are compatible with SHA-2, a newer algorithm that will last for many years to come.

In our story a few months ago, industry experts warned that many millions of users would be booted from the encrypted web, because many browser makers would no longer support the standard from the new year.

Facebook chief security officer Alex Stamos said in a December blog post that while the social network supports the deprecation of SHA-1 certificates, the company does not "think it's right to cut tens of millions of people off from the benefits of the encrypted Internet."

CloudFlare chief executive Matthew Prince, who said that the move would "leave a whole chunk of the internet in the past," said as many as 37 million users would face problems, with China being the most affected.

This isn't the first time Mozilla, a browser maker that has long warned it would drop support for SHA-1, has faced troubles ahead of its deprecation.

In 2014, the company updated its website with a new SHA2-hashed certificate. In doing that, it cut off a lot of people who wanted to download Firefox for the first time. Mozilla's Chris More said in a bug listing at the time that the upgrade "killed one million downloads" following the website upgrade.

"A lot of the world is still running old browsers and come to our website to get Firefox," he added.

Pulling weight

Despite the challenges, Mozilla said it remains committed to banishing support for SHA-1 down the line.

But, in order to make sure people don't get cut off from the web, everyone has to pull their weight, said Barnes. He added that man-in-the-middle vendors, including software firms, "should be working to update their products to use newer digest algorithms."

In any case, many hardware devices and anti-virus products have removed SHA-1 certificates already and require the user to update.

Mozilla didn't say when exactly it would again drop support but Barnes suggested that SHA-1 support could be dropped in the coming weeks or months, in Firefox 45 or 46.

Editorial standards