Mozilla certification revocation: 107,000 websites sunk by untrusted torpedo Over 107,000 websites have been consigned to the depths of the untrusted internet after Mozilla's move last week to allow its 1024-bit certificates to expire. The latest shipment of Firefox 32 improved security by killing support for the 1024-bit certificate authority (CA) certificates within the browser's trusted store. …
Unless of course you already forked out for a 3 or 5 year certificate….
Having worked at a certain financial institution that had this very issue, I can vouch for Verisign that signing a new 2048-bit request for the remainder of your purchased term is free of charge.
And I'd also note that this requirement issue was tackled by said bank back in 2011. VeriSign would not sign any 1024-bit cert with a validity beyond 2012. What kind of CA has been signing certs with expiration dates beyond 2012?
CAs are also known to to provide false keys to "law enforcement and similar clients".. so statesalready have the keys for MiM attacks..
As for Mozilla... well, they decided not to ban CAs that participate in MiM attacks by security forces, delete posts in forums about it, etc.
While I agree that at some point they should all be 2048 bits.. they are trying to fix something that is NOT the problems. The CAs are the problem.
"There really is no excuse for a webmaster not to have updated to a 2048bit certificate, it's not like we haven't been aware of this for the last 3 years.
All the major CAs have had big warnings plastered across their sites for a long long time."
Agree. And I also praise Mozilla for taking the lead of the cleanup of the smoking mess that is TLS CAs signoffs. They are doing it at the expense of pissing off the clueless, but ultimately securing communications of everyone. Hence, hats off to them.
This post has been deleted by its author
He added this recommendation: "If you still use a 1024-bit RSA key for any other purpose, such as a Secure Shell (SSH) or PGP, it is past time to consider those obsolete and start rolling out stronger keys, of at least 2048 bits, and using ECC-based keys where available"
Mmmm, hmm, and just how many open-source implementations are there for ECC OpenPGP? GnuPG 2.1 is still in development and is not ready for production.
I did experiment with it, I like having a reasonably secure key in a small space, specifically I was looking at it for AX.25. But it's still a fair way off.
I guess they downvoted because I mentioned OpenPGP which isn't TLS.
However, I'm pretty sure the older SSL stacks out there don't support ECC either. Yandex still uses SSLv3 for example. Does switching to an ECC-based certificate lock you out of their search engine?
read Knuth's explanation of why this is not so helpful. But, and this is But^10 , we do not *know* there is not a better factoring algorithm - it just hasn't been found.
Other methods may have a better chance of proving inverse difficulty, but factoring only has history...and that is an unreliable metric!! (Gauss and Euler didn't have computers...)
P.
RSA's cracking difficulty grows exponentially instead of being linear. Just to put it in perspective, 512-bit RSA was cracked in 1999. The largest RSA number cracked from the RSA challenge has been 704 bits long, and that was in 2012. Ok, 768-bit challenge was factored in 2009. But many of these efforts have been running non-stop for God knows how many months. Or years. Up until now, nobody has been able to factor 1024-bit RSA numbers, even though it is possible that cracking 1024-bit keys will be possible in the near future. But 2048? Unless something better than the quadratic sieve is discovered, or quantum computing actually takes off, it's still a long way down the road.
I have disabled all bar ten CAs on a couple of installations--it's been a few months ago and I'm still to get any warning regarding an untrusted cert.
Ideally, browsers would come with CA certs pre-installed, but initially untrusted until the user hits a website that requires it, then it would ask the user whether they trust the Turkish Central Bank CA to have signed the cert for google.ie, for example. It's far from perfect as it has an impact on usability and it does not address the real problem (pointed out by Aitor above), but nonetheless it'd be a small step forward.
However, as Aitor hints at, CAs cannot be trusted anyway as they're in the habit of "lending" their signing keys to, as they call it, "partners".
Mozilla on Wednesday launched a Developer Preview program to solicit feedback on Firefox extensions that implement Manifest v3, a Google-backed revision of browser extension architecture.
Mozilla last year said it intended to support MV3 in Firefox extensions, though with some differences. Its implementation of the WebExtensions API in Firefox has now incorporated enough of MV3 plumbing that developers can set the appropriate browser flags and experiment with MV3 extensions in Firefox v101, now in beta and due for release at the end of May.
Google Chrome is expected to stop supporting extensions created under the old MV2 specification in about a year, June 2023. And given Chrome's share of the browser market – about 64 per cent currently – extension developers will want to have updated their code by then and to have accounted for how MV3 works – or doesn't – in different browsers.
The Mozilla Foundation has released version 100 of its flagship web browser Firefox.
There's no link in the above paragraph because, strangely, at the time of writing, the new browser is not officially mentioned anywhere on Mozilla's website. However, you can download it from Mozilla: it's already on the foundation's FTP site. You can choose between versions for macOS, and both 32-bit and 64-bit Windows and Linux.
If you're not into the flat look of recent versions of Windows, it will run on Windows 7 too, but you will need to install the official Microsoft update KB4474419 first. (Yes, Mozilla's support site does concede that the new version exists.)
Browser makers Apple, Google, Microsoft, and Mozilla, along with software consultancies Bocoup and Igalia, have agreed to work together to make web design technologies perform in a more consistent way across different platforms.
The group has created a benchmark called Interop 2022 to assess how a handful of web standards get implemented by different vendors, with an eye toward ironing out differences. The idea is that web applications should look and behave the same way across different devices and operating systems. At the moment, that's not the case, to the chagrin of web developers who still wrestle with browser inconsistencies.
"For the first time ever, all major browser vendors, and other stakeholders, have come together to solve the top browsers compatibility issues identified by web developers," said Rachel Andrew, Philip Jägenstedt, and Robert Nyman from Google, in a blog post on Thursday.
This February Google put out Chrome 98, closely followed by Mozilla releasing Firefox 97. Soon both will hit version 100.
The memory of the web industry is short. This has happened before: when Opera reached version 10 in 2009, it caused problems, and just three years later, Firefox 10 faced similar issues.
And it will happen again. Google is planning to release Chrome 100 at the beginning of April, and Firefox 100 should follow in May.
The Linux Mint distro has been busy. Not only has it pushed out release 20.3, it's also announced a deal with Mozilla, meaning vanilla Mozilla versions of Firefox and Thunderbird.
It's very hard to estimate the relative popularity of Linux distributions. Aside from a couple of paid enterprise distros, they're all free downloads without serial numbers, activation nor any other tracking mechanisms. One of the only mechanisms is the Distrowatch popularity page, although vendors dispute its accuracy.
Saying that, Mint is in third or fourth place, outranking its own upstream distro, Ubuntu, which comes sixth. Each major version of Mint is based upon the long-term support version of Ubuntu: Mint 20 is based on Ubuntu 20.04.
In a hard-to-beat demo of the perils of software telemetry, Mozilla accidentally kicked legions of users offline last week by an update to its telemetry servers that triggered an existing bug in Firefox. Internally, Mozilla is calling the bug "foxstuck".
Firefox periodically reports back some fairly innocuous info, including how long your session lasted, how many tabs and windows you had open, what extensions you have and so on. You can see a list by entering about:telemetry in the address bar.
It's all pretty harmless data. What isn't harmless is if your browser goes TITSUP* and stops you from accessing any website just because it can't phone home – especially if other browsers still work fine.
Debian is having problems with a current version of Firefox that leaves users with a dangerously outdated browser.
One of the grey-bearded elders of the Linux distro world, Debian has had issues with Mozilla before. For years, it built its own forks of the Mozilla apps – Iceweasel, Icedove, Iceape, and Iceowl – because of a disagreement over trademark use. But this time the issues are technical rather than legal.
As a conservative, stable distro, Debian includes the Extended Support Release (ESR) version of Firefox – ideal for those who find Mozilla's four-weekly release cycle a bit too rapid.
Comment As Firefox's share of the browser market continues to slide, the Waterfox Project shows some of the ways that Mozilla is failing to listen to its users – and it's far from the only example.
Waterfox, which has just released its fourth version, came to your correspondent's attention after the arrival of Firefox 57, codenamed Quantum, which represented a major change in the program, complete with parts of the browser engine written in Rust.
(The Rust language itself started out as a Mozilla project. Despite Rust's popularity, within three years, Mozilla would also lay off members of the Rust language team.)
Thousands of Firefox cookie databases containing sensitive data are available on request from GitHub repositories, data potentially usable for hijacking authenticated sessions.
These cookies.sqlite databases normally reside in the Firefox profiles folder. They're used to store cookies between browsing sessions. And they're findable by searching GitHub with specific query parameters, what's known as a search "dork."
Aidan Marlin, a security engineer at London-based rail travel service Trainline, alerted The Register to the public availability of these files after reporting his findings through HackerOne and being told by a GitHub representative that "credentials exposed by our users are not in scope for our Bug Bounty program."
Mozilla is trialling personalised advertising in its Firefox Suggest feature, along with sponsored search results, with users told that it "helps fund Firefox development."
Firefox Suggest was first introduced last month in Firefox 92, billed as "a new discovery feature that is built directly into the browser."
The feature provides links as the user types in the search bar, which can be based on local browsing history, bookmarks and open tabs, or on "sponsored suggestions from vetted partners." Currently, users outside the US only see these uncontentious local prompts.
The Register - Independent news and views for the tech community. Part of Situation Publishing
Biting the hand that feeds IT © 1998–2022
