Sites cling to a million flawed, fading SHA-1 certificates: Netcraft British security bod Paul Mutton says scores of websites including big ticket companies like Deloitte are among a million outfits using outdated and vulnerable SHA-1-coded certificates which researchers have recently badged deceased. The hash function was this month busted by a crypto cadre with $US75,000 of cloud computing …
The following motion has been proposed by Rick Andrews of Symantec and
endorsed by Bruce Morton of Entrust, Jody Cloutier of Microsoft, and Kirk
Hall of Trend Micro.
Symantec, Microsot and Trend Micro. I expected Microsoft to be in the list, and am not very surprised by Symantec. As for Trend Micro, well they have to get their name in the limelight somehow, I guess.
All in all, the usual suspects in favor of status quo, even if it means less security for the consumer.
Unfortunately, some of us still have to support legacy clients, customers, or colleagues which can only work with the SHA-1 hash or, just as bad, the higher end of the TLSv1 ciphers. In a few cases I have to support email transfer to servers which only support RC4-MD5.
I have to set up a special machine to route to these legacy contacts, knowing full well that I cannot guarantee security (hell, I might as well not even bother encrypting) and relating that to both ends of the transfer. Looking at connection stats, I found that a number of US government agencies are still using the low-end of the TLSv1 suite, if not SSLv3 out-right, meaning that I have to keep a weak system in place for them. (Oh, and so do MANY of the Yahoo! "bullet" servers.)
Client devices are yet another problem. I admit that my phone is so old it cannot support a SHA-2 hash, or anything better than TLSv1/3DES-SHA, which means that as I start enforcing strong encryption at my site I have to no longer use email on my phone, use my own SHA-signed CA and subsequent signed certificates on a dedicated server, or replace my phone (in order of most to absolute least likelihood -- my reticence to replace my phone is a topic for a later conversation.) Me aside, I have to still support a number of client devices for at least the next few months. I have already sent out The Word, and on my side is that Google and Microsoft services will not support them soon, either, so my chances of losing them as customers is slim.
Anyway, a lot of work to do.
Protip: Windows XP SP2 is out of support for years now. (even XP SP3 does support SHA256) They are not secure, and them unable to connect to www sites is least of a problem. We also shouldn't compromise security of the whole internet for few slackers.
> We also shouldn't compromise security of the whole internet for few slackers.
On the other hand it seems bizarre that the security of the whole internet could be compromised by a few legacy systems - if a couple of old XP boxes can kill the entire interwebs then I suggest that a bit of legacy handling* is the least of our problems.
* doesn't require 'support', just 'failing gracefully' and possibly a link to something that works, or options, or clear advice on what the actual problem is instead of 'oh shucks that did not work'.
It shocks me that so many folks push to just kill stuff without any sort of graceful failure. I mean in the case of SHA1 for example browsers and servers should be able to present a coherent message to the user about why things are not working.
firefox for example gives this kind of error
--
The connection to XXX was interrupted while the page was loading.
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. (<-- could not be verified to me sounds like a ssl cert issue e.g. self signed certs, with self signed certs browsers allow me to EASILY override and accept the cert, it should allow me to do the same here!!!)
Please contact the website owners to inform them of this problem.
--
which to me is not sufficient, it should give details(or have an option to get details) as to specifically what the problem was. Was it we are now not allowing SHA1 ? or some other encryption standard? If I get the message perhaps I could contact the site owner and tell them specifically what is wrong, as-is it looks like a browser bug and I use another browser to get to the site(in this case happens to be a PDU, I assume perhaps it is using SSL v3 which maybe firefox doesn't like anymore but honestly I don't know because it doesn't tell me.).
It pisses me off to no end to see a browser update for example all of a sudden break sites that were perfectly usable in the previous version because they decided that some security standard was no longer valid. If you are going to break it the least these people can do is show a more useful error message.
Same goes for web servers / load balancers. I shouldn't get some obscure SSL connection error when connecting via SSLv3 if the remote server doesn't support it. It should accept the connection and show me something that says "sorry I can't serve you data because you are using SSLv3 and that is not secure anymore please upgrade your browser" (to-date haven't seen anything like that).
SHA-1 has not been "busted", at least in any published attack. I know reading for comprehension is tough, Darren, but the attack you refer to is a free-start collision, which does absolutely nothing to help an attacker forge an SHA-1-based signature.
And certificates that specify SHA-1 as the signing algorithm are not "vulnerable" - yet. Nor are certificates signed with SHA-1.
Even when creating arbitrary SHA-1 collisions becomes feasible, and later (possibly much later) finding preimage collisions also becomes feasible, it'll still be outside any reasonable threat model for a great many users for some time.
Should people upgrade? Yes. But fear-mongering articles like this hugely distort the actual gravity of the situation. Probably many of the sites in question haven't been adequately penetration-tested, for example, and that's a much more pressing threat.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
