Outdated payment terminals exempted by Mozilla from SHA-1 certificate ban
Less than two months after a ban came into effect for new SSL/TLS certificates signed with the weak SHA-1 hashing algorithm, exemptions are already starting to take shape.
Mozilla announced Wednesday that it will allow Symantec, which runs one of the world’s largest certificate authorities, to issue nine new such certificates to a customer in order to accommodate over 10,000 payment terminals that haven’t been upgraded in time.
According to a discussion on the Mozilla security policy mailing list, Worldpay, a large payment processor, failed to migrate some of its SSL/TLS servers to SHA-2 certificates. As a result of an oversight, the company also didn’t obtain new SHA-1 certificates for those servers before Dec. 31, 2015, when it was still allowed to do so.