Payments processor blunder revealed, company wants mercy

Feb 25, 2016 17:03 GMT  ·  By

Mozilla has decided to grant an exemption to its SHA-1 certificate ban and allow Symantec to issue nine new certificates for one of its clients Worldpay PLC.

Back in the autumn of 2015, a team of researchers managed to discover that SHA-1 certificates were not as safe as they were once considered after breaking its encryption algorithm with far less hardware and financial resources than previously estimated.

This event sparked a frenzy among tech companies and certificate authorities who announced that starting with January 1, 2016, they will not "trust" SHA-1-based certificates and that any CA (certificate authority) that issues one will be banned in the products of the CA/Browser Forum (meaning all browsers).

Organizations like Mozilla, Microsoft, and later Google, announced that they would reinforce the ban by not honoring any new SHA-1 certificates issued after January 1, 2016, and later stop supporting any type of SHA-1 certificates after June 30, 2016, or January 1, 2017.

Symantec is asking for an exemption for one of its clients

According to a discussion on the Mozilla security mailing list, Symantec is now asking for an exemption to this rule.

A company representative has informed Mozilla that one of its clients, Worldpay PLC, has asked for nine new SHA-1 certificates. Symantec explains that Worlpay has forgot to ask for nine new SHA-1 certificates for some of its servers that process SSL/TLS communications for over 10,000 payment terminals across the world.

Worldpay blames this situation on a communications mishap. They say that someone forgot to ask for these certificates before the January 1 deadline.

The company says they are already in the midst of the process of updating their servers to SHA-2, but this blunder now puts some of its users in danger of not having their payments go through.

Only Mozilla is on board with the exemption, not Apple, Microsoft, or Google

Internally, Mozilla has agreed to allow Symantec to issue these certificates under two conditions: the entire process should be transparent, and that the certificates should expire after only 90 days.

Mozilla will not mark these new SHA-1 certificates as insecure in its products, but it also said it cannot guarantee the same for the other CAs.

Many security experts, including Mozilla's own, have argued that giving Worldpay a pass would only encourage other companies that failed to migrate to SHA-2 a similar reason to do so as well.

Taking into account that Worldpay works with very sensitive financial information, Mozilla had a chance to prove a point about the need to reinforce the highest security standards for online transactions. Unfortunately, Mozilla failed, big time.