Slashdot Mirror

← Back to Stories (view on slashdot.org)

US Military Websites Still Relying On SHA-1 (netcraft.com)

Posted by Soulskill on from the what-year-is-it dept.

An anonymous reader writes: Netcraft confirms many U.S. Department of Defense websites, including a remote access service used by the Missile Defense Agency, are more vulnerable to man-in-the-middle attacks than most consumer websites. The weaker than previously-thought SHA-1 algorithm is the main culprit, with the DoD today being the most prolific user of SHA-1 signed SSL certificates, even though NIST banned new use of this signature algorithm two years ago. Most of the vulnerable certificates to be issued recently are used by .mil websites, which are operated by agencies, services and divisions of the DoD. All of these sites are consequently vulnerable to attack by enemy governments and criminals who can stump up enough cash ($75,000) to crack the certificates.

4 of 52 comments (clear)

  1. Gonna need a reference here... by TWX · · Score: 3, Interesting

    ...how did the $75,000 figure come to be? Is that what it costs for computer time to brute-force something? Is that what someone that holds a huge list of brute-calculated keys charges to do a lookup and provide the reverse-engineered private key?

    --
    Do not look into laser with remaining eye.
    1. Re:Gonna need a reference here... by ILongForDarkness · · Score: 3, Interesting

      Yeah probably a lot lower. I've often found a 10X speed boost when optimizing SQL code for example. People just thought it must take about that long so didn't bother looking for a better way. Slap an index, reorder a query and presto. I get there are mathematical limits to cracking crypto but in this case you are trying to duplicate a file it sounds like right? I'm sure someone will come up with an in memory solution etc that somebody didn't think of. In short that $75k problem is probably more like 7.5k or even $750.

      Not to mention: if I'm trying to hack a government site do you think I'm morally opposed to creating a botnet for ~free?

  2. Big organizations are slow as molasses, news at 11 by cerberusss · · Score: 3, Interesting

    Right now, I'm freelancing as a software developer, working for a company with a 10 billion yearly revenue. As you can imagine, the IT here is very complex and you have dozens of "software architects" trying to keep an eye on all the connections between systems.

    At some point, an internal iOS app wouldn't work because since iOS 9, Apple by default requires decent algorithms for secure network connections. Upgrading these requires consulting half a dozen software architects, just to coordinate a simultaneous upgrade of all the systems.

    And before that, I find myself explaining to software architects what the difference is between SSL and TLS.

    --
    8 of 13 people found this answer helpful. Did you?
  3. So does Australian intelligence agency ASIO by trawg · · Score: 3, Interesting

    I noticed the other day that ASIO (Australian Security Intelligence Organisation) throws a SHA-1 warning in Chrome ("This site uses a weak security configuration (SHA-1 signatures), so your connection may not be private").

    https://www.asio.gov.au/About-...

    Still almost two years left on the cert.

    So I wonder:

    1) Is this a terribly big deal and, as Chrome (i.e., Google) warns, should I be massively concerned that our chief intelligence agency is running with algorithms that are considered obsolete by the infosec community?!

    or

    2) Have they carefully looked at all the known SHA-1 weaknesses (and presumably several that are not known to the wider public) and determined the risk is acceptable and that (for example) people applying for jobs on their website are not in danger of having their details compromised?!