Mozilla Ditches 170,000 Sites After Mass Certificate Revoke

Over 170,000 websites are no longer trusted by Mozilla after the firm removed all 1024-bit certificate authority (CA) certificates from its approved list with the launch of Firefox 32, according to security researchers.

A total of 107,535 sites were affected by the security upgrade, according to security vendor Rapid7.

The firm has been collecting and scanning certificates since it kicked off open source security initiative Project Sonar in September 2013.

It loaded 150 scans into a Postgres database, generating over 65 million certificates which it then checked against 20 million indexed websites, the blog post noted.

Although 107,535 is a “relatively large number” and works out at “roughly half a percent of all the websites” in Rapid7’s database, a large number of these certs has already expired and “the rest will do so over the next year,” it continued.

Over 13,000 were apparently issued by Vodafone and expired on July 1, although they’re still being used today.

Mozilla’s decision to no longer trust the 1024-bit keys follows the advice of the National Institute of Standards and Technology (NIST), which recommended they be deprecated in 2010 and disallowed after 2013.

“There is a little disagreement that 1024-bit RSA keys may be cracked today by adversaries with the resources of nation states. As technology marches on, the security of 1024-bit keys will continue to deteriorate and become accessible by operators of relatively small clusters of commodity hardware,” wrote Rapid7.

“In the case of a CA key, the successful factoring of the RSA primes would allow an adversary to sign any certificate just as the CA in question would. This would allow impersonation of any ‘secure’ web site, so long as the software you use still trusts these keys.”

In removing the certificates, it seems Mozilla has stolen a march on some of its rivals, most notably Chrome, which still supports them.

The move came as part of a Firefox 32 launch with security at its heart, featuring public key pinning to help prevent man-in-the-middle attacks.

The launch also featured patches for two critical use-after-free flaws.

Mozilla Ditches 170,000 Sites After Mass Certificate Revoke

You may also like

Interview: John Merrill, CEO, DigiCert

High-Severity Flaws Fixed in Firefox 115 Update

Interview: Paul Vixie, CEO, Farsight Security

Firefox 60's WebAuthn API: No Password Required

Mozilla Patches 17 Security Holes with Firefox 36

What’s hot on Infosecurity Magazine?

TA455’s Iranian Dream Job Campaign Targets Aerospace with Malware

Phishing Tool GoIssue Targets Developers on GitHub

How to Backup and Restore Database in SQL Server

Microsoft Fixes Four More Zero-Days in November Patch Tuesday

CISOs Turn to Indemnity Insurance as Breach Pressure Mounts

EU Ramps Up Cyber Resilience with Major Crisis Simulation Exercise

Microsoft Visio Files Used in Sophisticated Phishing Attacks

Chinese Air Fryers May Be Spying on Consumers, Which? Warns

New Remcos RAT Variant Targets Windows Users Via Phishing

UK Regulator Urges Stronger Data Protection in AI Recruitment Tools

NCSC Publishes Tips to Tackle Malvertising Threat

Defenders Outpace Attackers in AI Adoption

The Future of Fraud: Defending Against Advanced Account Attacks

How to Manage Your Risks and Protect Your Financial Data

New Cyber Regulations: What it Means for UK and EU Businesses

Identifying Concentration Risk and Securing the Supply Chain

How to Unlock Frictionless Security with Device Identity & MFA

How to Proactively Remediate Rising Web Application Threats

Defenders Outpace Attackers in AI Adoption

ISACA CEO Erik Prusch on AI Fundamentals, Workforce, and Tackling Cybersecurity Challenges

31 New Ransomware Groups Join the Ecosystem in 12 Months

How Belgium's Leonidas Project Boosts National Cyber Resilience

Protecting the Healthcare Supply Chain Against Russian Ransomware Attacks

Snowflake Hacking Suspect Arrested in Canada