Slashdot Mirror

← Back to Stories (view on slashdot.org)

Why Google Is Pushing For a Web Free of SHA-1

Posted by Soulskill on from the collision-course dept.

An anonymous reader writes: Google recently announced Chrome will be gradually phasing out support for certificates using SHA-1 encryption. They said, "We need to ensure that by the time an attack against SHA-1 is demonstrated publicly, the web has already moved away from it." Developer Eric Mill has written up a post explaining why SHA-1 is dangerously weak, and why moving browsers away from acceptance of SHA-1 is a lengthy, but important process. Both Microsoft and Mozilla have deprecation plans in place, but Google's taking the additional step of showing the user that it's not secure. "This is a gutsy move by Google, and represents substantial risk. One major reason why it's been so hard for browsers to move away from signature algorithms is that when browsers tell a user an important site is broken, the user believes the browser is broken and switches browsers. Google seems to be betting that Chrome is trusted enough for its security and liked enough by its users that they can withstand the first mover disadvantage. Opera has also backed Google's plan. The Safari team is watching developments and hasn't announced anything."

31 of 108 comments (clear)

  1. SHA-1 by turkeydance · · Score: 5, Funny

    has hit the fan

  2. Deprecation shouldn't start at the browser by Anonymous Coward · · Score: 4, Insightful

    It should start at the certificate authorities. They should've been planning for sha-1 to be unsupported by x date, and not issuing certificates valid past that date.

    1. Re:Deprecation shouldn't start at the browser by WaffleMonster · · Score: 3, Informative

      It should start at the certificate authorities. They should've been planning for sha-1 to be unsupported by x date, and not issuing certificates valid past that date.

      Certificate authorities roots also use SHA1 and typically carry validity periods of decades.

    2. Re:Deprecation shouldn't start at the browser by nleven · · Score: 4, Insightful

      My understanding is CAs have limited interest in this matter. The product they are selling to website owners is really that green lock in the address bar. As long as that green lock icon is there, SHA1 or SHA256 won't make any difference. In this sense, deprecation should actually start at the browser.

    3. Re:Deprecation shouldn't start at the browser by Nick_Lowe712 · · Score: 4, Informative

      This clearly does not work though... Quoting Google's Adam Langley: "Unfortunately, many CAs decided to ignore it, presumably on the assumption that Microsoft would be forced to back down. We've done this dance with MD5 and 1024-bit certificates and we know how it goes. Here's a quick list of CAs that issued more than 2000 certificates extending into 2017 with SHA-1: GlobalSign nv-sa: 75,312 GoDaddy: 41,606 GeoTrust: 40,429 Comodo: 37,789 Verisign: 34,927 Terena: 9,444 Thawte: 8,735 Internet2: 8,637 Network Solutions: 8,077 Entrust: 5,542 AlphaSSL: 3,458 We would all have liked CAs to have acted either when the Baseline was updated (2011) or when Microsoft laid down dates (Nov 2013) or when Chrome talked about doing this at the CA/B Forum meeting earlier this year. It is unfortunate that that 2016/2017 dates are being ignored. If you run a site and want to be insulated from this sort you might want to consider getting one year certificates. CAs like to sell multiple years of course but doing renewal once every three (or more) years means that you have a significant risk of loosing the institutional knowledge of how to do it. (E.g. the renewal remainder email goes to someone who left last year and you then have a panic when it expires). Additionally, very long lived certificates are not insulated from from these sorts of changes and you may need to replace them during their lifetime anyway." https://news.ycombinator.com/i...

    4. Re:Deprecation shouldn't start at the browser by sexconker · · Score: 2

      No, it should start, and stop, at the user's local cert store.
      I don't actually trust any of the root CAs, and would much rather the world ran on self-signed certs.
      I'd love to walk into my bank and say "Hey fuckers, I need to add your cert. He's my cert so you can do that same. I can clearly see that you are in fact, my bank, and you can see that I am, in fact, your customer, so let's share our certs so we can communicate over public lines securely.".
      But no, that requires effort. So fuck it, we'll use untrustworthy certificate authorities who can and do fuck shit up and leak shit all over hell, and who are at the behest of corrupt governments.

    5. Re:Deprecation shouldn't start at the browser by Inf0phreak · · Score: 2
      If you set it up such that mails from, say, VeriSign are sent directly to , then you're DOING IT WRONG and you deserve what you get if a mail accidentally gets dropped because Bob got fired last year.

      One obvious solution is to run your own mail server and create <certificates@example.com>, a forward to <bobfromaccounting@example.com> and finally a bit of logic such that a big scary warning is sent to the administrator account for the mail server if the forward should ever fail. Whatever you do, the account that the CA is sending mail to should NEVER have to change for any reason and it should always be assigned to some person in the company.

      --
      ________
      Entranced by anime since late summer 2001 and loving it ^_^
    6. Re:Deprecation shouldn't start at the browser by MikeBabcock · · Score: 2

      Print your cert with a QR code on a single sheet of correspondance. Its not hard, and it would be easy to disseminate.

      --
      - Michael T. Babcock (Yes, I blog)
  3. I don't care. by JustNiz · · Score: 3, Funny

    My website will be fine since it uses ROT-13.

    1. Re:I don't care. by zephvark · · Score: 3, Funny

      That's why I always use ROT-13 twice. It completely eliminates the risk of that form of decryption.

    2. Re:I don't care. by amicusNYCL · · Score: 2

      Because I had to worry about clients using XP SP2, I'm stuck using ROT-1.

      You joke about that, but we just had to switch a major client's SSL certificate back to SHA-1 because their users in China couldn't use the new certificate since they were all on XP pre-SP3. We charged them something like a $500 stupidity tax for making us go through the process to install a less secure certificate.

      --
      "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
  4. First movers nothing. by Anonymous Coward · · Score: 5, Interesting

    First movers nothing. Firefox 32 just released, and it deprecated a bunch of certs without any real warning at all, causing some users to get mad (http://blog.mozilla.org/security/2014/09/08/phasing-out-certificates-with-1024-bit-rsa-keys/). Google waited for Mozilla to take the risk while planning to safely tell the user that the site is running outdated SHA-1 certs. Stop trying to paint them as heroes, they're just one of the players, and not even at the forefront of the effort.

    1. Re:First movers nothing. by obarel · · Score: 3, Funny

      There's no point in acting all surprised about it. All the planning charts and demolition orders have been on display at your local planning department in Alpha Centauri for fifty of your Earth years so you've had plenty of time to lodge any formal complaints and its far too late to start making a fuss about it now.

  5. What MS and Mozilla might be thinking by lkangaroo · · Score: 2

    Do your job too well, and people start questioning if it's needed in the first place.

  6. Re:SHA1 is not encryption by stoploss · · Score: 3, Informative

    The summary writers really need to stop adding terminology willy-nilly. SHA1 is a hashing function, not an encryption.

    Yes, SHA-1 is a hashing algorithm, and anyone even remotely confused about the distinction should avert their eyes and NOT click on this link to an elucidating comment from a few years ago that indicated something... rather surprising... about the nature of hashing and encryption.

    Strange, eh?

  7. SHA-3 by Anonymous Coward · · Score: 5, Insightful

    Wouldn't now be the time to push toward a transition to SHA-3, rather than SHA-2? I realize SHA-2 implementations are much more common. But 1) SHA-2 was handed down from the NSA and 2) is in the same family as MD5 and SHA-1.

    Considering 1) the recent NSA scandals, 2) that SHA-3 was independently developed and won a public competition, and 2) that SHA-3 uses a newer family of one-hash algorithms which is provably more secure than SHA-2, it would seem prudent to use momentum to move to SHA-3 sooner rather than later.

    1. Re:SHA-3 by another+random+user · · Score: 2

      Interesting, didn't know that XP doesn't support SHA-2. As certs will have to move to SHA-2 or above, that means the XP users won't be able to connect any more - not an issue as far as I am concerned (would rather loose XP based people that those who use the latest Chrome builds etc and won't connect because of security alerts).

      Given this, does this mean we are getting close to a point where we can start using SNI - if people with systems that don't support SNI can't connect anyway because they also don't support SHA-2, then just go all in and switch to SNI anyway.

      Are there browsers that do support SHA-2, but don't support SNI? If there are, are they a set that are actually worth worrying about?

      --
      -1 troll is not supposed to be used simply because you don't agree
    2. Re:SHA-3 by Anonymous Coward · · Score: 2, Informative

      Interesting, didn't know that XP doesn't support SHA-2.

      Read the post again: XP sp2 doesn't support SHA-2.

      XP with sp3 does - I just tried it with a sha256 certificate.

      As certs will have to move to SHA-2 or above, that means the XP users won't be able to connect any more - not an issue as far as I am concerned

      Some of us want to have a website to serve all paying customers, even if they use an old operating system.

      Amazon is probably the best example - any browser can shop on Amazon, since long ago Amazon realized that annoying their customers with the latest buzzword ajax "responsive" junk doesn't sell their product.

    3. Re:SHA-3 by skids · · Score: 2

      Well, if x509 has simply allowed for multiple signatures, we could just put both SHA2 and SHA3 signatures on the certs, and consumers of the certs could move towards supporting SHA3 as their security requirements dictate, ignoring the SHA2 signatures when they have a SHA3 signature available to them.

      But as with everything PKI related, the people making the calls have some blind spots when it comes to making things forward compatible or even particularly maintainable. It's as if they've never had to a day of PKI gruntwork in their life.

      --
      Someone had to do it.
  8. What about Symantec Class 3 EV SSL CA - G2 by viperidaenz · · Score: 2

    Issuer: CN = VeriSign Class 3 Public Primary Certification Authority - G5, OU = (c) 2006 VeriSign, Inc. - For authorized use only, OU = VeriSign Trust Network, O = VeriSign, Inc., C = US
    Subject: CN = Symantec Class 3 EV SSL CA - G2, OU = Symantec Trust Network, O = Symantec Corporation, C = US
    Valid from: Thursday, 31 October 2013 12:00:00 p.m.
    Valid to: Tuesday, 31 October 2023 11:59:59 a.m.
    Signature algorithm: sha1RSA
    Signature hash algorithm: sha1
    Thumbprint algorithm: sha1
    Thumbprint: e4 99 59 a4 b3 36 ac bd 2d ac 75 9b b5 21 b9 46 03 3e 82 3a

    They're still issuing certificates. It appears they use sha1?

  9. Uhh yeah by Lirodon · · Score: 4, Informative

    Implying only Google is doing this. Microsoft is doing it too, and a Firefox bug has made a similar proposal shortly after said announcement. https://bugzilla.mozilla.org/s...

  10. https://www.google.com using SHA-1 by WaffleMonster · · Score: 5, Interesting

    Amazing www.google.com and every single link in its trust chain is using SHA-1 signature algorithm.

    1. Re:https://www.google.com using SHA-1 by return+42 · · Score: 3, Informative

      True. As mentioned in the article and a linked tweet, Google plans to migrate to SHA-256 by the end of 2015. Why it will take them so long is not stated.

      In the meantime, their certificates only last three months. Probably only NSA and GCHQ could forge a cert in that short a time — and they don't need to. (Though I'm sure they would prefer a nice quiet forgery to issuing an order that someone might blow the whistle about.)

  11. Re:The Real Reason? by Qzukk · · Score: 2

    Except that it's honestly a shitty idea given the history of witness unreliability. The human mind is pretty shit at remembering a real human's face you've only seen once. Worse, an uncanny valley fake face is going to look like every other uncanny valley fake face, especially without additional visible features like hair or glasses (and even then the memory is likely to recall "wears glasses" not a specific style or color).

    Also, the guy never explained what the hell the problem was that he wants the engineers to make a solution for, other than "it doesn't use this cool face-making library I wrote." Clearly we are all too stupid to see the value of having lawnmower man's face shown when we log into our banking website, if only we weren't engineers instead of PhDs.

    --
    If I have been able to see further than others, it is because I bought a pair of binoculars.
  12. Re: Dip Shit Alert! It's a hash not crypto! by owlstead · · Score: 3, Informative

    Hash is crypto. Its not encryption although with a bit of effort it can be turned into a stream cipher.

  13. Re:Hash in counter mode == stream cipher by Mr+Z · · Score: 2

    While that may be true, web browsers aren't using SHA-1 for encryption, especially for validating certificates. It's a cryptographically strong hashing function, but not, on its own, encryption.

    --
    Program Intellivision!
  14. Thats rich comming from Google, they sure love RC4 by citizenr · · Score: 3, Informative

    Google still REQUIRES RC4 for Youtube.

    https://news.ycombinator.com/i...

    --
    Who logs in to gdm? Not I, said the duck.
  15. Re:Thats rich comming from Google, they sure love by Nick_Lowe712 · · Score: 2

    Except that is out-of-date information so it is meaningless to this discussion: https://www.ssllabs.com/ssltes...

  16. Re: People who just bought a multiyear certificate by corychristison · · Score: 3, Insightful

    Not sure if serious...

    Most CA's offer free re-issues these days. Allowing you to change your key, and hashing algorithm, and possibly other stuff.

  17. Re:Thumbprint by viperidaenz · · Score: 2

    That's not a root CA, it's an intermediate CA signed by the VeriSign root CA.

  18. Re:Thats rich comming from Google, they sure love by citizenr · · Score: 2

    the only meaningless information is coming from you. Its not the YT portal that requires RC4, its servers serving actual video files

    r6---sn-2apm-f5fs.googlevideo.com
      accepted ciphers:
    TLSv1 128 bit RC4-SHA
    SSLv3 128 bit RC4-SHA

    and hundreds of other content farm servers

    --
    Who logs in to gdm? Not I, said the duck.