Mozilla/Firefox to stop accepting MD5 hash algorithm from June 30, 2011

Mozilla will be disabling MD5 in their environment from June 30, 2011. This means that any SSL certificates containing an MD5 signature algorithm will not work in later FireFox browsers after that date.

RapidSSL does not use the MD5 in certificates since May 2009. However, it is possible that a small number of older certificates may contain an MD5 signature.

In the next few months RapidSSL will be communicating to any affected customers that they should reissue their certificate. You do not have to wait for this email you can re-issue yoru certificate now if it is affected.

Reissuing your certificate is a simple process and will ensure your certificate contains a with a SHA-1 signature algorithm.

For instructions on reissuing your certificate please see: How do I re-issue my SSL Certificate?

Posted by Andy Gambles 

Web Browser Security User Interfaces: Hard to Get Right and Increasingly Inconsistent

This interesting and useful post on Web Browser Security User Interfaces: Hard to Get Right and Increasingly Inconsistent by Steve Schultze highlights the growing differences between how browsers interpret the varying security aspects of SSL certificates. I highly recommend reading the article to get a good understand of how your website will look in all the different browsers depending on the type of SSL certificate you use.

Despite the CAB forum's existence as a way of unifying the SSL/browser experience each browsers seems to have its own interpretation of how these "standards" should be implemented.

Earlier I posted about how Firefox 4.0 no longer had the padlock symbol on secure websites. The padlock symbol has been a long standing and instantly recognised way of highlighting secure websites. But, as suggested by Firefox, has this lead to a false sense of security?

Green is the emerging colour for websites using Extended Validation SSL certificates. But there is also wildy different interpretations of how this should be implemented. IE8+ has implemented an entire green address bar while FireFox and Chrome have opted for just the company name in green. Safari 4 implementation is even less obvious with just the letters in green.

What is your view on the different browser implementations? Was Firefox right to drop the padlock symbol?

Posted by Andy Gambles 

SSL Padlock removed from Firefox 4.0

For a long time the padlock symbol has been used in browsers to show when a connection is secure. However from Firefox 4.0 Mozilla have decided that the padlock symbol will no longer be used. The reasoning appears to be that it has become misunderstood to incorrectly imply that the user is safe.

Bug 598973 indicates the padlock is missing and a comment from Dave Garrett that it is being phased out. Further discussion also takes place on Bug 558551.

Instead Firefox 4.0 is using the blue address bar button to indicate a site secured with a domain or organisation validated certificate and a green button to indicate extended validation SSL is in use.

Posted by Andy Gambles