Opened on 09/10/2014 at 01:59:47 PM
Last modified on 10/26/2015 at 11:13:52 AM
#1354 new change
Don't use SHA-1 in web server certificate chains
| Reported by: | greiner | Assignee: | |
|---|---|---|---|
| Priority: | Unknown | Milestone: | |
| Module: | Infrastructure | Keywords: | adblockplus.org eyeo |
| Cc: | matze | Blocked By: | |
| Blocking: | Platform: | Unknown | |
| Ready: | no | Confidential: | no |
| Tester: | Unknown | Verified working: | no |
| Review URL(s): | |||
Description (last modified by greiner)
Background
Starting with Chrome 41 SHA-1 is considered insecure by Google who has deprecated SHA-1 in Chrome and now considers certificates that use SHA-1 "secure, but with minor errors". If we will create a new SHA-1 certificate next year this would degrade to "affirmatively insecure".
What to change
Replace the existing certificates in the certificate chain with ones that use SHA-2 for eyeo.com, www.eyeo.com, intraforum.adblockplus.org, issues.adblockplus.org and any other domain that's not covered by the adblockplus.org certificate.
Attachments (0)
Change History (4)
comment:2 Changed on 05/11/2015 at 03:33:41 PM by greiner
- Description modified (diff)
- Summary changed from Don't use SHA-1 for adblockplus.org certificate to Don't use SHA-1 in web server certificate chains
comment:3 Changed on 05/11/2015 at 03:58:39 PM by greiner
- Cc matze added
- Description modified (diff)
- Keywords eyeo added
comment:4 Changed on 10/26/2015 at 11:13:52 AM by greiner
- Tester set to Unknown
Mozilla published and update to its roadmap for phasing out SHA-1 certificates. Any such certificates that have "valid before" date be after 2016-01-01 or "valid after" date be after 2017-01-01 (or even 2016-07-01) will be considered "untrusted".
I just noticed that this issue also affects eyeo.com which makes our company look a bit untrustworthy to regular people who visit our homepage.