Less than two months after a ban came into effect for new SSL/TLS certificates signed with the weak SHA-1 hashing algorithm, exemptions are already starting to take shape.
Mozilla announced Wednesday that it will allow Symantec, which runs one of the world's largest certificate authorities, to issue nine new such certificates to a customer in order to accommodate over 10,000 payment terminals that haven't been upgraded in time.
According to a discussion on the Mozilla security policy mailing list, Worldpay, a large payment processor, failed to migrate some of its SSL/TLS servers to SHA-2 certificates. As a result of an oversight, the company also didn't obtain new SHA-1 certificates for those servers before Dec. 31, 2015, when it was still allowed to do so.
SHA-1, an aging hashing algorithm, is in the process of being phased out because it is theoretically vulnerable to attacks that could result in forged digital certificates and it's only a matter of time before someone gains the capability to do this.
As a result, the CA/Browser Forum, a group of certificate authorities and browser makers that sets guidelines for the issuance and use of digital certificates, decided that new SHA-1-signed certificates should not be issued after Jan. 1, 2016. SHA-1 certificates issued before that date will continue to be trusted by browsers until they expire or until Jan. 1, 2017, whichever comes first.
Because of these CA industry rules and because it missed the deadline, Worldpay found itself unable to replace the SHA-1 certificates that currently exist on some of its servers and which are set to expire on Feb. 28.
The problem is that there are over 10,000 payment terminals used by merchants around the world that need to communicate with those affected servers in order to process transactions. Those terminals do not support certificates signed with the newer and more secure SHA-2 algorithm and cannot be replaced in time.
Worldpay has now approached Symantec with a request for new SHA-1 certificates, but Symantec needs to obtain an exemption from the CA/B Forum in order to issue such certificates after the Jan. 1 deadline. Otherwise it risks having its root certificates untrusted by browsers and operating system vendors for violating the industry accepted rules.
After a day of discussions, Mozilla agreed to allow Symantec to issue the requested certificates to Worldpay, but under certain conditions like limiting their lifespan to 90 days and publishing them in Certificate Transparency logs.
"This authorization means that Symantec can issue SHA-1 certificates that will enable Worldpay’s devices to keep operating a while longer, and that issuance will not be regarded by Mozilla as a defect," said Richard Barnes, the Firefox security lead at Mozilla, in a blog post Wednesday. "This decision only affects the Mozilla root program; other root programs may still consider the issuance of these certificates to be a mis-issuance."
Sign up for CIO Asia eNewsletters.