Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

Mozilla certification revocation: 107,000 websites sunk by untrusted torpedo

Abandon hope all ye who click here

Over 107,000 websites have been consigned to the depths of the untrusted internet after Mozilla's move last week to allow its 1024-bit certificates to expire.

The latest shipment of Firefox 32 improved security by killing support for the 1024-bit certificate authority (CA) certificates within the browser's trusted store. Google's Chrome, on the other hand, has not yet removed support for the 1024-bit CA certificates over concerns about the number of websites that would likely be affected.

Mozilla's move was in line with best practice advice from boffins at the National Strategy for Trusted Identities in Cyberspace (NIST), who warned (PDF) organisations to migrate and accept only 2048-bit keys.

Rapid7 chief security officer HD Moore reported last week that 107,535 had been affected by the security upgrade. He obtained the data through public network analysis tool Project Sonar.

1024 certificate expiry: HD Moore

"There is a little disagreement that 1024-bit RSA keys may be cracked today by adversaries with the resources of nation states [and eventually] by operators of relatively small clusters of commodity hardware," Moore said.

"In the case of a CA key, the successful factoring of the RSA primes would allow an adversary to sign any certificate just as the CA in question would. This would allow impersonation of any 'secure' web site, so long as the software you use still trusts these keys."

The sites were derived from 65 million unique certificates checked against some 20 million indexed websites. The majority of certificates used by affected sites would expire in the next 12 months, minimising coin wasted on insecure certificates, while 13,000 were already using expired certificates issued by Vodafone and valid to last July.

"While Mozilla's decision will affect a few sites, most of those that are active and affected have already expired, and shouldn't be trusted on that basis alone," Moore said.

He added this recommendation: "If you still use a 1024-bit RSA key for any other purpose, such as a Secure Shell (SSH) or PGP, it is past time to consider those obsolete and start rolling out stronger keys, of at least 2048 bits, and using ECC-based keys where available." ®

 

Similar topics

Similar topics

Similar topics

TIP US OFF

Send us news


Other stories you might like