Get a New SSL Certificate if You have a 1024-bit Cert
When Mozilla launched the Firefox version 32, the company has also removed a lot of root certificates coming from some of the trusted stores for the Firefox browser. The move is not because the certificates have been proven to be fraud or that the CAs which issued them have been compromised but it’s simply because the certificates make use of the 1024 bit keys.
More Secure Browsing Experience
According to Mozilla, the main purpose behind their decision to remove the root certificates is to provide web users with a more secure browsing experience and along with that, they also encourage organizations to move into the 2048 bit keys. The longer the keys are, the more resistant they are to attack and several companies, including Microsoft and Google, have been encouraging companies to steer away from the shorter keys in the last couple of years.
For the version 32 of the Mozilla Firefox, Mozilla has removed trust for certificates provided by GoDaddy, SECOM, Entrust, Symantec, VeriSign, as well as NetLock. The result of this is that some of the organizations might have to obtain new SSL Certificates.
For those who are running an SSL enabled website, the changes on the Mozilla Firefox will have no impact on you for as long as your certificates as well as the CAs right above them have the 2048 bit keys and more. However, if the SSL Certificate has a 1024 bit key or that it was issued by a CA that has 1024 bit key, then you might need to get a new SSL certificate as a result of Mozilla’s move.
After that, you need to update the certificates on your web server. If the intermediate certificate that you have been using has the 1024 bit key, you will also need to download the 2048 bit intermediate certificate coming from the CA and then update the certificate chain right off your web server.
Phasing Out of Root Certificates
Mozilla has plans to phase out the root certificates coming from several other providers in the coming months and this will include VeriSign, Thawte, Equifax, as well as the GTE CyberTrust. Later on, the company will be doing the same thing for root certificates issued by Equifax. According to the company, they are targeting to finish off the migration of the 1024 bit certificates on the first half quarter of 2015, and after that, none of the 1024 bit certificates will be used by the browser in identifying websites or the software makers.
The change that Mozilla made is just one of the various initiatives made by the browser vendor. Google is still at the process of phasing out SHA-1 hash algorithm. Eventually, the Google Chrome will not be able to trust certificates signed with the SHA-1. The SHA-1 hash algorithm is said to be weaker than it has been when it was first released in 2005, which was already nine years ago. According to Google, the collision attacks against the SHA-1 hash algorithm are just too affordable for them to consider it safe for the public use.