2016: Robo-butlers, flying cars, and Google's internet Terminators hunting SHA-1 SSL certs

Re: SHA1?

3DES because it still uses DES which has been cracked for a long time

In what sense has "DES ... been cracked for a long time"?

DC and LC against DES are better than brute force in simple complexity but infeasible due to the large number of chosen or known plaintexts required - around 2³⁹ for the best attack. The best variant of the Davies-Murphy attack seems to require 2⁴⁵ known plaintexts, so linear cryptography still has the best result, and it's still infeasible.

Any modern competent DES implementation avoids weak and semiweak keys, so forget about those too.

DES is vulnerable to brute-forcing because it has a short key. That's not "cracked"; it's simply reached the end of its design life.

3DES EDE with key mode 2 is weaker than it should be, with an effective key length of around 80 bits. That could be considered "cracked", but it's poor terminology at best. 3DES EDE with key mode 1 has an effective 112-bit key (due to meet-in-the-middle) and again the best known attacks are not feasible, with large computation and memory requirements (plus 2³² known plaintexts, which is tough even if you have an oracle).

It's only a matter of time for it to be thoroughly cracked.

While it's true that "attacks only get better", as the saying goes, there's no proof that any better attacks against DES or 3DES will be discovered. DES isn't a group, so the obvious route for a complete break is closed.

What's more likely is that computing power available to well-funded attackers will make 112-bit keys (for symmetric ciphers) unsuitable for medium-term protection of highly valuable data - just as NIST and every other entity in the field has been saying pretty much since the invention of computer cryptography. But again that's not a "crack". It's just a cipher reaching the end of its design lifespan.

And if you're worried about cipher-suite choice for SSL and TLS, far better to worry about the vast number of servers forcing RC4 for performance reasons, since it's possible there are feasible attacks against RC4 as used by HTTPS. The combination of predictable plaintexts (due to HTTP headers) and the ability to get a victim to encode a lot of them (due to Javascript-based attacks and the like) make the plaintext requirements of the RH attack on RC4 much more plausible.

And then you can worry about sites that only support SSLv3, or TLSv1 and so are vulnerable to BEAST, and so on.

Re: Like nuclear power...

In a mirror universe where Bill Gates has a beard and figured out how to write working search engines, Bing has 90% of the search engine market - and to get in the first five pages for any search term, you must be hosted on IIS.

I like the idea of HTTPS rather than HTTP, and better crypto whenever possible, but is the strength of encryption or hash size really valid as an indicator of page quality? When I'm searching for, say, a user manual for that old VoIP adapter I just bought on eBay, is the fact one site uses a fancy new SSL certificate actually relevant to my search?