Firefox ban on SHA-1 dropped
Mozilla reinstates support for the vulnerable SHA-1 crypto
Mozilla has temporarily reinstated support for a vulnerable cryptographic algorithm after some Firefox users were unable to access encrypted HTTPS websites. The browser maker blamed the unintended consequence of deprecating support for SHA-1 certificates on man-in-the-middle devices, such as security scanners and anti-virus products.
In a blog post, security engineer Richard Barnes explained that most
Firefox users aren't affected, and those who are can simply upgrade to
the latest version of Firefox - version 43.0.4, released on Wednesday -
to fix the problem.
"When a user tries to connect to an HTTPS site, the man-in-the-middle device sends Firefox a new SHA-1 certificate instead of the server's real certificate," Barnes explained.
"Since Firefox rejects new SHA-1 certificates, it can't connect to the server," he added.
The good news is that you can tell if you're affected by visiting Mozilla's security blog. If you are, you can upgrade from its website.