Mozilla is allowing another exception to its October decision to deprecate SHA-1 certificates. The open-source software maker will allow Symantec to issue nine new certificates to the payment processor Worldpay to maintain 10,000 payment terminals.
The move has raised concerns that the exception will set Mozilla on a slippery slope, and it will soon face pressure to issue exceptions to other certificate authorities.
“We understand that there are payment processing organisations other than Worldpay that continue to have similar requirements for SHA-1 — either within the Web PKI or outside it,” wrote Firefox security lead Richard Barnes, on the Mozilla security blog. “It is disappointing that these organisations are putting the public's data at risk by using a weak, outdated security technology.”
Last month, Mozilla's Firefox browser started to reject the insecure SHA-1 certificates, but the company promptly issued a Firefox update after noticing that legitimate “man-in the-middle” devices, including some security scanner models and antivirus products, could not connect to HTTPS sites.
At the time, Barnes wrote in an email to SCMagazine.com that Firefox would remove support for SHA1 certificates again as soon as the man-in-the-middle issue was resolved.