Slashdot Mirror

← Back to Stories (view on slashdot.org)

Why Google Is Pushing For a Web Free of SHA-1

Posted by Soulskill on from the collision-course dept.

An anonymous reader writes: Google recently announced Chrome will be gradually phasing out support for certificates using SHA-1 encryption. They said, "We need to ensure that by the time an attack against SHA-1 is demonstrated publicly, the web has already moved away from it." Developer Eric Mill has written up a post explaining why SHA-1 is dangerously weak, and why moving browsers away from acceptance of SHA-1 is a lengthy, but important process. Both Microsoft and Mozilla have deprecation plans in place, but Google's taking the additional step of showing the user that it's not secure. "This is a gutsy move by Google, and represents substantial risk. One major reason why it's been so hard for browsers to move away from signature algorithms is that when browsers tell a user an important site is broken, the user believes the browser is broken and switches browsers. Google seems to be betting that Chrome is trusted enough for its security and liked enough by its users that they can withstand the first mover disadvantage. Opera has also backed Google's plan. The Safari team is watching developments and hasn't announced anything."

17 of 108 comments (clear)

  1. SHA-1 by turkeydance · · Score: 5, Funny

    has hit the fan

  2. Deprecation shouldn't start at the browser by Anonymous Coward · · Score: 4, Insightful

    It should start at the certificate authorities. They should've been planning for sha-1 to be unsupported by x date, and not issuing certificates valid past that date.

    1. Re:Deprecation shouldn't start at the browser by WaffleMonster · · Score: 3, Informative

      It should start at the certificate authorities. They should've been planning for sha-1 to be unsupported by x date, and not issuing certificates valid past that date.

      Certificate authorities roots also use SHA1 and typically carry validity periods of decades.

    2. Re:Deprecation shouldn't start at the browser by nleven · · Score: 4, Insightful

      My understanding is CAs have limited interest in this matter. The product they are selling to website owners is really that green lock in the address bar. As long as that green lock icon is there, SHA1 or SHA256 won't make any difference. In this sense, deprecation should actually start at the browser.

    3. Re:Deprecation shouldn't start at the browser by Nick_Lowe712 · · Score: 4, Informative

      This clearly does not work though... Quoting Google's Adam Langley: "Unfortunately, many CAs decided to ignore it, presumably on the assumption that Microsoft would be forced to back down. We've done this dance with MD5 and 1024-bit certificates and we know how it goes. Here's a quick list of CAs that issued more than 2000 certificates extending into 2017 with SHA-1: GlobalSign nv-sa: 75,312 GoDaddy: 41,606 GeoTrust: 40,429 Comodo: 37,789 Verisign: 34,927 Terena: 9,444 Thawte: 8,735 Internet2: 8,637 Network Solutions: 8,077 Entrust: 5,542 AlphaSSL: 3,458 We would all have liked CAs to have acted either when the Baseline was updated (2011) or when Microsoft laid down dates (Nov 2013) or when Chrome talked about doing this at the CA/B Forum meeting earlier this year. It is unfortunate that that 2016/2017 dates are being ignored. If you run a site and want to be insulated from this sort you might want to consider getting one year certificates. CAs like to sell multiple years of course but doing renewal once every three (or more) years means that you have a significant risk of loosing the institutional knowledge of how to do it. (E.g. the renewal remainder email goes to someone who left last year and you then have a panic when it expires). Additionally, very long lived certificates are not insulated from from these sorts of changes and you may need to replace them during their lifetime anyway." https://news.ycombinator.com/i...

  3. I don't care. by JustNiz · · Score: 3, Funny

    My website will be fine since it uses ROT-13.

    1. Re:I don't care. by zephvark · · Score: 3, Funny

      That's why I always use ROT-13 twice. It completely eliminates the risk of that form of decryption.

  4. First movers nothing. by Anonymous Coward · · Score: 5, Interesting

    First movers nothing. Firefox 32 just released, and it deprecated a bunch of certs without any real warning at all, causing some users to get mad (http://blog.mozilla.org/security/2014/09/08/phasing-out-certificates-with-1024-bit-rsa-keys/). Google waited for Mozilla to take the risk while planning to safely tell the user that the site is running outdated SHA-1 certs. Stop trying to paint them as heroes, they're just one of the players, and not even at the forefront of the effort.

    1. Re:First movers nothing. by obarel · · Score: 3, Funny

      There's no point in acting all surprised about it. All the planning charts and demolition orders have been on display at your local planning department in Alpha Centauri for fifty of your Earth years so you've had plenty of time to lodge any formal complaints and its far too late to start making a fuss about it now.

  5. Re:SHA1 is not encryption by stoploss · · Score: 3, Informative

    The summary writers really need to stop adding terminology willy-nilly. SHA1 is a hashing function, not an encryption.

    Yes, SHA-1 is a hashing algorithm, and anyone even remotely confused about the distinction should avert their eyes and NOT click on this link to an elucidating comment from a few years ago that indicated something... rather surprising... about the nature of hashing and encryption.

    Strange, eh?

  6. SHA-3 by Anonymous Coward · · Score: 5, Insightful

    Wouldn't now be the time to push toward a transition to SHA-3, rather than SHA-2? I realize SHA-2 implementations are much more common. But 1) SHA-2 was handed down from the NSA and 2) is in the same family as MD5 and SHA-1.

    Considering 1) the recent NSA scandals, 2) that SHA-3 was independently developed and won a public competition, and 2) that SHA-3 uses a newer family of one-hash algorithms which is provably more secure than SHA-2, it would seem prudent to use momentum to move to SHA-3 sooner rather than later.

  7. Uhh yeah by Lirodon · · Score: 4, Informative

    Implying only Google is doing this. Microsoft is doing it too, and a Firefox bug has made a similar proposal shortly after said announcement. https://bugzilla.mozilla.org/s...

  8. https://www.google.com using SHA-1 by WaffleMonster · · Score: 5, Interesting

    Amazing www.google.com and every single link in its trust chain is using SHA-1 signature algorithm.

    1. Re:https://www.google.com using SHA-1 by return+42 · · Score: 3, Informative

      True. As mentioned in the article and a linked tweet, Google plans to migrate to SHA-256 by the end of 2015. Why it will take them so long is not stated.

      In the meantime, their certificates only last three months. Probably only NSA and GCHQ could forge a cert in that short a time — and they don't need to. (Though I'm sure they would prefer a nice quiet forgery to issuing an order that someone might blow the whistle about.)

  9. Re: Dip Shit Alert! It's a hash not crypto! by owlstead · · Score: 3, Informative

    Hash is crypto. Its not encryption although with a bit of effort it can be turned into a stream cipher.

  10. Thats rich comming from Google, they sure love RC4 by citizenr · · Score: 3, Informative

    Google still REQUIRES RC4 for Youtube.

    https://news.ycombinator.com/i...

    --
    Who logs in to gdm? Not I, said the duck.
  11. Re: People who just bought a multiyear certificate by corychristison · · Score: 3, Insightful

    Not sure if serious...

    Most CA's offer free re-issues these days. Allowing you to change your key, and hashing algorithm, and possibly other stuff.