By Darren Pauli, 8 Sep 2014
Over 107,000 websites have been consigned to the depths of the untrusted internet after Mozilla's move last week to allow its 1024-bit certificates to expire.
The latest shipment of Firefox 32 improved security by killing support for the 1024-bit certificate authority (CA) certificates within the browser's trusted store. Google's Chrome, on the other hand, has not yet removed support for the 1024-bit CA certificates over concerns about the number of websites that would likely be affected.
Mozilla's move was in line with best practice advice from boffins at the National Strategy for Trusted Identities in Cyberspace (NIST), who warned (PDF) organisations to migrate and accept only 2048-bit keys.
Rapid7 chief security officer HD Moore reported last week that 107,535 had been affected by the security upgrade. He obtained the data through public network analysis tool Project Sonar.
http://regmedia.co.uk/2014/09/08/hgbnmklo987yt.gif1024 certificate expiry: HD Moore
"There is a little disagreement that 1024-bit RSA keys may be cracked today by adversaries with the resources of nation states [and eventually] by operators of relatively small clusters of commodity hardware,"
The Register/ full article here/ http://www.theregister.co.uk/2014/09/08/107000_dodgy_sites_struck_by_mozilla_untrusted_torpedo/
Userlevel 7
The following article is a update on Mozilla Certification Revocation
By Ericka Chickowski Posted on 9/11/2014
Mozilla revokes 1024-bit root certificates in bid to improve Firefox security and similar changes to come for Chrome as Google plans to dump SHA-1 certificates.
As browser developers try to push the industry toward safer certificate standards, it won't come without some pain: Tens of thousands of sites are already experiencing that following a move last week by Mozilla to revoke a number of root certificates using 1024-bit keys. According to security researchers, that's the approximate number of sites left untrusted as a result of Mozilla's not-so-subtle push to get developers to upgrade their SSL protections with certificates utilizing 2048-bit keys.
According to Mozilla, the company is forcing migration away from 1024-bit certificate in phases, so at the moment it has only revoked select certificates from Entrust, SECOM, GoDaddy, EMC/RSA, Symantec/VeriSign, and NetLock. It will wait until early 2015 to revoke similar certificates from Thawte, VeriSign, Equifax, and GTE Cybertrust that are operated by Symantec and Verizon Certificate Services. "We are actively working with CAs to retire SSL and Code Signing certificates that have 1024-bit RSA keys in an effort to make the upgrade as orderly as possible, and to avoid having system administrators find themselves in emergency mode because their SSL keys were compromised," says Kathleen Wilson of Mozilla's security engineering team.
DarkReading/ full article here/ http://www.darkreading.com/operations/security-growing-pangs-loom-for-100k+-sites-with-newly-untrusted-certificates/d/d-id/1315618?
(Security Growing Pangs Loom For 100K+ Sites With Newly Untrusted Certificates)
By Ericka Chickowski Posted on 9/11/2014
Mozilla revokes 1024-bit root certificates in bid to improve Firefox security and similar changes to come for Chrome as Google plans to dump SHA-1 certificates.
As browser developers try to push the industry toward safer certificate standards, it won't come without some pain: Tens of thousands of sites are already experiencing that following a move last week by Mozilla to revoke a number of root certificates using 1024-bit keys. According to security researchers, that's the approximate number of sites left untrusted as a result of Mozilla's not-so-subtle push to get developers to upgrade their SSL protections with certificates utilizing 2048-bit keys.
According to Mozilla, the company is forcing migration away from 1024-bit certificate in phases, so at the moment it has only revoked select certificates from Entrust, SECOM, GoDaddy, EMC/RSA, Symantec/VeriSign, and NetLock. It will wait until early 2015 to revoke similar certificates from Thawte, VeriSign, Equifax, and GTE Cybertrust that are operated by Symantec and Verizon Certificate Services. "We are actively working with CAs to retire SSL and Code Signing certificates that have 1024-bit RSA keys in an effort to make the upgrade as orderly as possible, and to avoid having system administrators find themselves in emergency mode because their SSL keys were compromised," says Kathleen Wilson of Mozilla's security engineering team.
DarkReading/ full article here/ http://www.darkreading.com/operations/security-growing-pangs-loom-for-100k+-sites-with-newly-untrusted-certificates/d/d-id/1315618?
Reply
Login to the community
No account yet? Create an account
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.