Recently, Mozilla launched Firefox 32.0. This new version is all about enhanced security and upgraded safety features.
As per Mozilla’s NSS (Network Security Service)’s report, they have ended their support of certificates with 1024-bit encryption strength and removed all such certificates and Code Signing certificates from their trust bits. And as a result of this elimination, Firefox will show an “Untrusted Connection” error for any website or software protected by certificates with encryption strength less than 2048-bit.
Mozilla intends to cater to a more secure browsing environment for its users. Therefore, it is encouraging all website owners and admins to migrate from 1024-bit SSL certificates to more secure versions with 2048-bit encryption strength.
1024-bit SSL certificates have been found to be vulnerable against advanced and innovative cyber-attacks being carried out by hackers. However, it is difficult and near impossible for attackers to compromise 2048-bit SSL certificates, which have a much longer key strength.
In Firefox 32.0, Mozilla has turned off support for 1024-bit SSL and code signing certificates. They are no longer being preferred by industry experts, not only because they are insecure or less trustworthy, but also due to some of the factors listed below:
- As per Certification Authority/Browser (CA/B) Forum guidelines, 2048-bit SSL certificate is mandatory from January 2014.
- Encryption strength of 1024-bit SSL certificates is far inferior compared to 2048-bit SSL certificates.
- Mozilla considers 1024-bit SSL certificates as highly vulnerable and weak in terms of security.
- As per NIST (National Institute of Standard & Technology) 1024-bit certificates are dead and ineffectual as of 2013.
According to the latest research and analysis by Rapid7.com on 1024-bit SSL certificates, about 107,000 websites are now not trusted by Mozilla due to the withdrawn support.
It is now mandatory for all websites (still relying on 1024-bit SSL certificates) to migrate to SSL certificates with 2048-bit or higher encryption strength.
How do I migrate from 1024-bit SSL to 2048-bit SSL Certificates?
Option 1: If your website is protected with a 1024-bit SSL certificate, then it is mandatory for you to purchase a new SSL certificate with higher encryption strength and install it in on to your web server.
Option 2: If your website’s intermediate SSL certificate is 1024-bit, then you just need to download a 2048-bit intermediate certificate through your certificate provider and update your certificate chain on your web server.
In the first quarter of 2015, Mozilla projects to complete the migration of 1024-bit certificates. It is also considering phasing out certificates by providers like Thawte, VeriSign, Equifax and GTE CyberTrust that have 1024-bit roots. Therefore, in 2015, Mozilla will not trust any 1024-bit SSL certificate, no matter the source.
Google Chrome has also considered SHA-1 algorithm as insecure and has announced its plans to start the process of eliminating SHA-1 as a trusted algorithm. They have also started encouraging website owners/admins to start using SHA-2 to secure their websites.