US Military Websites Still Relying On SHA-1

An anonymous reader writes: Netcraft confirms many U.S. Department of Defense websites, including a remote access service used by the Missile Defense Agency, are more vulnerable to man-in-the-middle attacks than most consumer websites. The weaker than previously-thought SHA-1 algorithm is the main culprit, with the DoD today being the most prolific user of SHA-1 signed SSL certificates, even though NIST banned new use of this signature algorithm two years ago. Most of the vulnerable certificates to be issued recently are used by .mil websites, which are operated by agencies, services and divisions of the DoD. All of these sites are consequently vulnerable to attack by enemy governments and criminals who can stump up enough cash ($75,000) to crack the certificates.

Honeypot

[AHuxley]

Given the pages are mostly a picture, logos, public mission statements, employment/recruiting details, domestic and global propaganda images.
The only thing thats going to be "discovered" is a log or trace of anyone looking at the site.
Its all just bait. If the person looking is found domestically, they might get the recruited by indictment offer.

Re:Gonna need a reference here...

[AHuxley]

A quick search found "SHA-1 hashing algorithm could succumb to $75K attack, researchers say" (08 Oct 15)
http://www.pcadvisor.co.uk/new...
"... US$75,000 and $120,000 to mount a viable attack using freely available cloud-computing services"
"... someone can create two different files that have the same hash, it's possible to digitally sign one" Try searching for 75K or $75,000 by date and see what other public news can be found :)

Re:So does Australian intelligence agency ASIO

[petermgreen]

As I understand it constructing a rouge certificate by attacking secure hash functions requires either

1: a preimage attack on sha1 with chosen prefix and chosen suffix. This seems unlikely in the forseable future even for MD5.
2: a collision attack with distinct chosen prefix and common chosen suffiix combined with a CA that has poor procedures that allow the purchaser to predict what their certificate metadata will be. This has been demonstrated in the past for MD5 (google "md5 collisions inc"). Noone has yet demonstrated a full collision for SHA1, let alone a distinct chosen prefix collision.

As of right now I would class this as a lower risk than the risk of some CA simply issuing an end entity certificate to someone other than the legitimate owner of the domain and/or issuing and intermediate certificate to the attacker. Of course attack techniques are improving all the time so it's prudent to move sooner rather than later. Chrome is being a bit alarmist because they know if they don't then people won't move until it's too late.