Over 170,000 websites are no longer trusted by Mozilla after the firm removed all 1024-bit certificate authority (CA) certificates from its approved list of certificates.
A total of 107,535 sites were affected by the security upgrade, according to security vendor Rapid7.
The firm has been collecting and scanning certificates since it kicked off the open source security initiative Project Sonar in September 2013.
It loaded 150 scans into a Postgres database, generating over 65 million certificates which it then checked against 20 million indexed websites, the blog post noted.
Although 107,535 is a big number , a large number of these certs has already expired and “the rest will do so over the next year,” it continued.
Over 13,000 were apparently issued by Vodafone and expired on July 1, although they’re still being used today.
Mozilla’s decision to no longer trust the 1024-bit keys follows the advice of the National Institute of Standards and Technology (NIST), which recommended they be deprecated in 2010 and disallowed after 2013.
“There is a little disagreement that 1024-bit RSA keys may be cracked today by adversaries with the resources of nation states. As technology marches on, the security of 1024-bit keys will continue to deteriorate and become accessible by operators of relatively small clusters of commodity hardware,” wrote Rapid7.
“In the case of a CA key, the successful factoring of the RSA primes would allow an adversary to sign any certificate just as the CA in question would. This would allow impersonation of any ‘secure’ web site, so long as the software you use still trusts these keys.”
