Opened 5 years ago

Last modified 3 years ago

#1354 new change

Don't use SHA-1 in web server certificate chains

Reported by: greiner Assignee:
Priority: Unknown Milestone:
Module: Infrastructure Keywords: adblockplus.org eyeo
Cc: matze Blocked By:
Blocking: Platform: Unknown
Ready: no Confidential: no
Tester: Unknown Verified working: no
Review URL(s):

Description (last modified by greiner)

Background

Starting with Chrome 41 SHA-1 is considered insecure by Google who has deprecated SHA-1 in Chrome and now considers certificates that use SHA-1 "secure, but with minor errors". If we will create a new SHA-1 certificate next year this would degrade to "affirmatively insecure".

What to change

Replace the existing certificates in the certificate chain with ones that use SHA-2 for eyeo.com, www.eyeo.com, intraforum.adblockplus.org, issues.adblockplus.org and any other domain that's not covered by the adblockplus.org certificate.

Change History (4)

comment:1 Changed 5 years ago by greiner

  • Description modified (diff)

comment:2 Changed 4 years ago by greiner

  • Description modified (diff)
  • Summary changed from Don't use SHA-1 for adblockplus.org certificate to Don't use SHA-1 in web server certificate chains

comment:3 Changed 4 years ago by greiner

  • Cc matze added
  • Description modified (diff)
  • Keywords eyeo added

I just noticed that this issue also affects eyeo.com which makes our company look a bit untrustworthy to regular people who visit our homepage.

comment:4 Changed 3 years ago by greiner

  • Tester set to Unknown

Mozilla published and update to its roadmap for phasing out SHA-1 certificates. Any such certificates that have "valid before" date be after 2016-01-01 or "valid after" date be after 2017-01-01 (or even 2016-07-01) will be considered "untrusted".

Note: See TracTickets for help on using tickets.