All together, now!
Fuego!
There are so many things that hang around for years, until they are finally put to "rest."
Now, if only the IoT could get its act together on this, as well...
The death knell for the SHA‑1 cryptographic hash function will echo around the web now that all the main browser builders have decided to cut off support – only 12 years after its flaws were first discovered. On Friday, Mozilla and Microsoft both announced that support for SHA‑1 in HTTPS certificates would be dropped – Moz …
Can we get rid of Flash at the same time?
...and Silverlight as well. Same unnecessary rubbish, same problems, similarly unwanted.
However silverlight is still a "recommended" update for making a server less secure... To add to the non-joined up stupiditity should you click on an error link on a Windows server OS it will take you to the MS website which will then fail because JavaScript and Silverlight are not installed/enabled on a server's browser. Yes, we shouldn't really be using a server in this way but it happens...
"SHA-1 will still hang around, like a fart in a spacesuit,"
Creative imagery, but definitely didn't originate here.
There are hundreds of millions of computers out there that aren't running modern operating systems or browsers simply because their users see the machines as functional as they are now and have no reason to upgrade. My web server logs are showing plenty of windows XP and old PowerPC macs that hit our site and the people who hit our site most likely have the money to upgrade. There is also a growing number of old non-upgradable Android and iPhones that are hitting the site which seems odd but I expect that it is a result that when the device was new, it wasn't the owners primary surfing device. Now that the old phone or old PC has been handed down, it is the only surfing device owned by the new user.
Just a small aside regarding mobile device figures.
I for one set my tablets User Agent to a 5 year previous string. I do this even on my newest and sparkliest of devices. If I don't, every website I visit comprises 1k of content, and insists on sending 20 fucking megabytes of flash adverts. And even IF I can be bothered to wait for it all to be rendered, the lag those adverts cause simply by being displayed after downloading is barely tolerable.
This, sadly, appears to be a universal constant. And while I'm not suggesting your own web server is guilty, it's unlikely that users in my particular mindset (meaning, they prefer content over irrelevant advertising) will reset their UA to access your server.
Short version: Your logs only list the UA of accessing devices, which might not represent the ACTUAL device used.
I for one set my tablets User Agent to a 5 year previous string. [...] Short version: Your logs only list the UA of accessing devices, which might not represent the ACTUAL device used.
People like you probably represent about 0.001% of the users. Most people don't even know what the user agent string is, so collecting statistic based on it is reliable enough.
" and now it's time to find the laggards and get them fixed."
Pass me my Cluebat! It's time to go fix some Laggards!
(the word laggard is really not used often enough in the English language. It's such a brilliant word. I really should try and slip it into conversation with my German colleagues. ;) )
I don't mind warnings, but when I press "I know this is insecure" it must continue to work. I have old ethernet KVM switches that insist on using it, for which firmware upgrades are not available. If they do not allow you to bypass the warnings then I will need to keep old browsers (or a VM copy of XP?) just for remote access to machines?
Perhaps Microsoft would like to assist many web site managers and to support the generation of certificate requests within IIS using something other than SHA-1.
While certificates can be requested using the certificate manager MMC plugin, IIS offers a far simpler service for the relatively narrow requirements of https certificates that is less prone to mistakes - either change it to support something other than SHA-1 or remove it altogether.
Oh, damn. I was about to comment on the irony of Microsoft, those stalwart overseers of Internet security, being responsible for the global average decline in secure use of the Internet, thanks largely because of its Internet Exploder browser.
But the headline and e-mail flier imply the fact that nobody other then them still use that shit, an implication clearly incorrect in the article!
Dammit, El Reg, you got me!
No one bothers about a MIM in the certificate chain, I presume.
I see someone has been naive enough to believe M$. Quickie for anyone to test on one's own:
1. Open M$.com via https
2. Dig into the certificate details
3. Check the very top of the certificate chain
The top certificate is issued to, quote: "VeriSign Class 3 Public Primary Certification Authority - G5". It is issued in 2006, i.e. a year after the SHA-1 was already pronounced less secure than anticipated. Which hasn't prevented VeriSign from keeping it around, and signing their root (!) certficate with SHA-1. Neither has prevented my browser from trusting it. It happily reports "The connection to this site is encrypted and authenticated using a strong protocol (TLS 1.2), a strong key exchange (ECDHE_RSA), and a strong cipher (AES_256_GCM)", end of the quote.
The certificate is to hang around for a little while, namely till 17 July 2036 0:59:59. How big a botnet would be needed 20 years in the future to tweak a false signature, and to create bogus intermediate certificates? One, maybe up to two desktops?