Worldpay outs self as provider of easy-to-crack payment services

Symantec asked for new SHA-1 certs to keep old payment kit alive. Mozilla said yes

Everyone knows the SHA-1 cipher is a relic that can be cracked without colossal effort. So why has Mozilla allowed Symantec to issue some new SHA-1 certificates?

Mozilla participates in Web PKI, the effort overseeing the issuance of certificates allowing browsers to identify themselves to servers. The organisation has learned that some of the root servers it trusts to verify certificates are also used to secure payment terminals' communications with servers. That means, Mozilla says, that “many payment-related devices continue to require their servers to have certificates which use SHA-1 in order to be able to operate.”

Mozilla sets some conditions for certificate issuance and has long since moved on to SHA-2 encryption.

But last week, Mozilla says, “ Worldpay PLC approached Mozilla through their Certificate Authority, Symantec, to request authorization to issue, in violation of standard policy, a limited number of SHA-1 certificates needed to support a large number of outdated devices.”

“They made this request less than two weeks before the authorization needed to be effective.”

If Mozilla did not accept those certificates, the payment terminals would be orphaned. So the organisation kicked the idea of some new SHA-1 certificates around for a while on a mailing list. After due deliberation it eventually acquiesced “only under a set of conditions that ensure that the issuance of SHA-1 certificates is fully transparent and allowed only for purposes of transition to SHA-2.”

Mozilla's not entirely happy, pointing out that it made its decision “despite the SHA-1 deadlines having been set years ago”.

Worldpay gets more time to move to SHA-2. And it also gets named and shamed as using SHA-1 for potentially sensitive payments data. Which may well interest criminal hacker types.

So thanks for that, everyone involved. You've made the internet a less safe place.

The incident highlights, yet again, that devices other than computers are becoming increasingly vulnerable. Whether by neglect – as in the case of Worldpay's slow SHA-2 migration – or ignorance – see the many insecure-by-design home routers and industrial kit – security problems in “things” now emerge with terrifying regularity. ®

Biting the hand that feeds IT © 1998–2020