AnsweredAssumed Answered

Mozilla decided to still trust Equifax, but development has already distrusted

Question asked by Adm Selec on Apr 24, 2015
Latest reply on Apr 28, 2015 by Ivan Ristić

As part of distrusting 1024-bit roots, Equifax Secure Certificate Authority has to die: 986019 – Turn off SSL and Code Signing trust bits for Equifax 1024-bit roots

 

But here is a snag: too many sites chain to it. So here comes this bug: 1155279 – Temporarily re-enable Equifax Secure Certificate Authority 1024-bit root

And a new one here: 1156844 – Turn off Trust bits for Equifax Secure Certificate Authority 1024-bit root certificate

 

Equifax trust tracking server — equifax.serverhello.com

 

PRODUCTION

SSL Server Test: equifax.serverhello.com (Powered by Qualys SSL Labs)

 

Authentication

 

Server Key and Certificate #1
Common namesequifax.serverhello.com
Alternative namesequifax.serverhello.com
Prefix handlingNot required for subdomains
Valid fromWed Apr 22 13:01:38 PDT 2015
Valid untilSat Apr 23 19:21:31 PDT 2016 (expires in 11 months and 30 days)
KeyRSA 4096 bits (e 65537)
Weak key (Debian)No
IssuerRapidSSL SHA256 CA - G3
Signature algorithmSHA256withRSA
Extended ValidationNo
Revocation informationCRL, OCSP
Revocation statusGood (not revoked)
TrustedYes

 

 

Additional Certificates (if supplied)
Certificates provided4 (4227 bytes)
Chain issuesContains anchor
#2
SubjectRapidSSL SHA256 CA - G3
Fingerprint: 0e34141846e7423d37f20dc0ab06c9bbd843dc24
Valid untilFri May 20 14:39:32 PDT 2022 (expires in 7 years)
KeyRSA 2048 bits (e 65537)
IssuerGeoTrust Global CA
Signature algorithmSHA256withRSA
#3
SubjectGeoTrust Global CA
Fingerprint: 7359755c6df9a0abc3060bce369564c8ec4542a3
Valid untilMon Aug 20 21:00:00 PDT 2018 (expires in 3 years and 3 months)
KeyRSA 2048 bits (e 65537)
IssuerEquifax / Equifax Secure Certificate Authority
Signature algorithmSHA1withRSA   WEAK
#4
SubjectEquifax / Equifax Secure Certificate Authority   In trust store
Fingerprint: d23209ad23d314232174e40d7f9d62139786633a
Valid untilWed Aug 22 09:41:51 PDT 2018 (expires in 3 years and 3 months)
KeyRSA 1024 bits (e 65537)   WEAK
IssuerEquifax / Equifax Secure Certificate Authority   Self-signed
Signature algorithmSHA1withRSA   Weak, but no impact on root certificate

 

 

Certification Paths
Path #1: Trusted
1Sent by serverequifax.serverhello.com
Fingerprint: 9a5831fa887cdeb127a807a0d1761ad1fb319bfe
RSA 4096 bits (e 65537) / SHA256withRSA
2Sent by serverRapidSSL SHA256 CA - G3
Fingerprint: 0e34141846e7423d37f20dc0ab06c9bbd843dc24
RSA 2048 bits (e 65537) / SHA256withRSA
3In trust storeGeoTrust Global CA   Self-signed
Fingerprint: de28f4a4ffe5b92fa3c503d1a349a7f9962a8212
RSA 2048 bits (e 65537) / SHA1withRSA
Weak or insecure signature, but no impact on root certificate
Path #2: Trusted
1Sent by serverequifax.serverhello.com
Fingerprint: 9a5831fa887cdeb127a807a0d1761ad1fb319bfe
RSA 4096 bits (e 65537) / SHA256withRSA
2Sent by serverRapidSSL SHA256 CA - G3
Fingerprint: 0e34141846e7423d37f20dc0ab06c9bbd843dc24
RSA 2048 bits (e 65537) / SHA256withRSA
3Sent by serverGeoTrust Global CA
Fingerprint: 7359755c6df9a0abc3060bce369564c8ec4542a3
RSA 2048 bits (e 65537) / SHA1withRSA
WEAK SIGNATURE
4Sent by server
In trust store
Equifax / Equifax Secure Certificate Authority   Self-signed
Fingerprint: d23209ad23d314232174e40d7f9d62139786633a
RSA 1024 bits (e 65537) / SHA1withRSA
WEAK KEY IN MOZILLA'S TRUST STORE   MORE INFO »
Weak or insecure signature, but no impact on root certificate

 

DEVELOPMENT

SSL Server Test: equifax.serverhello.com (Powered by Qualys SSL Labs)

 

Authentication

 

Server Key and Certificate #1
Common namesequifax.serverhello.com
Alternative namesequifax.serverhello.com
Prefix handlingNot required for subdomains
Valid fromWed, 22 Apr 2015 20:01:38 UTC
Valid untilSun, 24 Apr 2016 02:21:31 UTC (expires in 11 months and 30 days)
KeyRSA 4096 bits (e 65537)
Weak key (Debian)No
IssuerRapidSSL SHA256 CA - G3
Signature algorithmSHA256withRSA
Extended ValidationNo
Certificate TransparencyNo
Revocation informationCRL, OCSP
Revocation statusGood (not revoked)
TrustedYes

 

 

Additional Certificates (if supplied)
Certificates provided4 (4227 bytes)
Chain issuesExtra certs, Contains anchor
#2
SubjectRapidSSL SHA256 CA - G3
Fingerprint: 0e34141846e7423d37f20dc0ab06c9bbd843dc24
Valid untilFri, 20 May 2022 21:39:32 UTC (expires in 7 years)
KeyRSA 2048 bits (e 65537)
IssuerGeoTrust Global CA
Signature algorithmSHA256withRSA
#3
SubjectGeoTrust Global CA
Fingerprint: 7359755c6df9a0abc3060bce369564c8ec4542a3
Valid untilTue, 21 Aug 2018 04:00:00 UTC (expires in 3 years and 3 months)
KeyRSA 2048 bits (e 65537)
IssuerEquifax / Equifax Secure Certificate Authority
Signature algorithmSHA1withRSA   WEAK
#4
SubjectEquifax / Equifax Secure Certificate Authority   Not in trust store
Fingerprint: d23209ad23d314232174e40d7f9d62139786633a
Valid untilWed, 22 Aug 2018 16:41:51 UTC (expires in 3 years and 3 months)
KeyRSA 1024 bits (e 65537)   WEAK
IssuerEquifax / Equifax Secure Certificate Authority   Self-signed
Signature algorithmSHA1withRSA   Weak, but no impact on root certificate

 

 

Certification Paths
Path #1: Trusted
1Sent by serverequifax.serverhello.com
Fingerprint: 9a5831fa887cdeb127a807a0d1761ad1fb319bfe
RSA 4096 bits (e 65537) / SHA256withRSA
2Sent by serverRapidSSL SHA256 CA - G3
Fingerprint: 0e34141846e7423d37f20dc0ab06c9bbd843dc24
RSA 2048 bits (e 65537) / SHA256withRSA
3In trust storeGeoTrust Global CA   Self-signed
Fingerprint: de28f4a4ffe5b92fa3c503d1a349a7f9962a8212
RSA 2048 bits (e 65537) / SHA1withRSA
Weak or insecure signature, but no impact on root certificate
Path #2: Not trusted (path does not chain to a trusted anchor)
1Sent by serverequifax.serverhello.com
Fingerprint: 9a5831fa887cdeb127a807a0d1761ad1fb319bfe
RSA 4096 bits (e 65537) / SHA256withRSA
2Sent by serverRapidSSL SHA256 CA - G3
Fingerprint: 0e34141846e7423d37f20dc0ab06c9bbd843dc24
RSA 2048 bits (e 65537) / SHA256withRSA
3Sent by serverGeoTrust Global CA
Fingerprint: 7359755c6df9a0abc3060bce369564c8ec4542a3
RSA 2048 bits (e 65537) / SHA1withRSA
WEAK SIGNATURE
4Sent by server
  Not in trust store
Equifax / Equifax Secure Certificate Authority   Self-signed
Fingerprint: d23209ad23d314232174e40d7f9d62139786633a
RSA 1024 bits (e 65537) / SHA1withRSA
WEAK KEY
Weak or insecure signature, but no impact on root certificate

 

Related thread: Weak Key in Certification Path

Outcomes