Outdated payment terminals exempted by Mozilla from SHA-1 certificate ban

Less than two months after a ban came into effect for new SSL/TLS certificates signed with the weak SHA-1 hashing algorithm, exemptions are already starting to take shape.

Mozilla announced Wednesday that it will allow Symantec, which runs one of the world’s largest certificate authorities, to issue nine new such certificates to a customer in order to accommodate over 10,000 payment terminals that haven’t been upgraded in time.

According to a discussion on the Mozilla security policy mailing list, Worldpay, a large payment processor, failed to migrate some of its SSL/TLS servers to SHA-2 certificates. As a result of an oversight, the company also didn’t obtain new SHA-1 certificates for those servers before Dec. 31, 2015, when it was still allowed to do so.

SHA-1, an aging hashing algorithm, is in the process of being phased out because it is theoretically vulnerable to attacks that could result in forged digital certificates and it’s only a matter of time before someone gains the capability to do this.

As a result, the CA/Browser Forum, a group of certificate authorities and browser makers that sets guidelines for the issuance and use of digital certificates, decided that new SHA-1-signed certificates should not be issued after Jan. 1, 2016. SHA-1 certificates issued before that date will continue to be trusted by browsers until they expire or until Jan. 1, 2017, whichever comes first.

+ BACKGROUND: Google joins Mozilla, Microsoft in pushing for early SHA-1 crypto cutoff +

Because of these CA industry rules and because it missed the deadline, Worldpay found itself unable to replace the SHA-1 certificates that currently exist on some of its servers and which are set to expire on Feb. 28.

The problem is that there are over 10,000 payment terminals used by merchants around the world that need to communicate with those affected servers in order to process transactions. Those terminals do not support certificates signed with the newer and more secure SHA-2 algorithm and cannot be replaced in time.

Worldpay has now approached Symantec with a request for new SHA-1 certificates, but Symantec needs to obtain an exemption from the CA/B Forum in order to issue such certificates after the Jan. 1 deadline. Otherwise it risks having its root certificates untrusted by browsers and operating system vendors for violating the industry accepted rules.

After a day of discussions, Mozilla agreed to allow Symantec to issue the requested certificates to Worldpay, but under certain conditions like limiting their lifespan to 90 days and publishing them in Certificate Transparency logs.

“This authorization means that Symantec can issue SHA-1 certificates that will enable Worldpay’s devices to keep operating a while longer, and that issuance will not be regarded by Mozilla as a defect,” said Richard Barnes, the Firefox security lead at Mozilla, in a blog post Wednesday. “This decision only affects the Mozilla root program; other root programs may still consider the issuance of these certificates to be a mis-issuance.”

This means that Symantec also needs to ask the maintainers of other trusted root certificate programs, like Microsoft and Apple, for permission.

If it gets the go-ahead, this will establish a precedent and other companies might come asking for additional exemptions. Mozilla acknowledged that it is willing to consider similar requests on a case by case basis, if those requests are made at least two weeks in advance of the expected issuing date for new certificates.

“We understand that there are payment processing organizations other than Worldpay that continue to have similar requirements for SHA-1 — either within the Web PKI [public key infrastructure] or outside it,” Barnes said. “It is disappointing that these organizations are putting the public’s data at risk by using a weak, outdated security technology. We encourage organizations with a continuing need for SHA-1 in the Web PKI to come forward as soon as possible and provide as much detail as possible about their plans for a transition to SHA-2.”

This is not the first and probably won’t be the last concession that browser makers will have to make regarding their plan to retire SHA-1 certificates from the Internet.

In January, Mozilla was forced to undo a change that it made in Firefox to ban all SHA-1 certificates issued after Jan. 1. It turned out that some security devices that performed man-in-the-middle SSL/TLS traffic inspection were using self-signed SHA-1 certificates. Because of the ban, Firefox users on networks that used such devices were suddenly unable to access any HTTPS websites.

Meanwhile, Facebook and CloudFlare are pushing for the creation of a new class of SHA-1-signed certificates that HTTPS websites would be allowed to use only with legacy browsers and mobile clients that don’t support SHA-2 certificates.