Microsoft Follows Mozilla In Considering Early Ban On SHA-1 Certificates (csoonline.com)

← Back to Stories (view on slashdot.org)

Microsoft Follows Mozilla In Considering Early Ban On SHA-1 Certificates (csoonline.com)

Posted by samzenpus on Thursday November 5, 2015 @05:30PM from the you're-outta-here dept.

itwbennett writes: Following the first successful collision attack on the SHA-1 hashing algorithm last month, Mozilla said that it was considering a cut-off of July 1, 2016 to start rejecting all SHA-1 SSL certificates, ahead of an earlier scheduled date of Jan. 1, 2017. And now Microsoft is considering blocking the hashing algorithm on Windows by June next year.

47 comments

Min score:

Reason:

Sort:

Kickstarter by nneonneo · 2015-11-05 17:42 · Score: 2

If it really is only $75-120K to crack SHA1, I propose we start a Kickstarter to gather the funds. Given the estimate of a few months, we'll ship our SHA1 collision well before a lot of other Kickstarter projects ship their products :)
1. Re:Kickstarter by cjmnews · 2015-11-06 02:33 · Score: 1
  
  If the statement "first successful collision attack" were true, then I would put money into that Kickstarter.
  But, if you follow the links, you'll find that they only partially succeeded on the collision in just the compression section of SHA-1. There's a lot more work to be done to make this into an actual SHA-1 collision. Their estimate of a full collision by the end of the year is overly optimistic.
  The Kickstarter would have some cash, that would be quickly drained without a full collision in sight. So, I'll have to pass on giving it any of my cash.
  
  --
  You can lose something that is loose, so tighten the loose item so you don't lose it.
Overrides by sexconker · 2015-11-05 18:01 · Score: 4, Insightful

At least let me fucking override shit for my devices (UPSes, copiers, etc.) that have absolutely no ability to use anything other than the self-signed shit they come with.
I'm fine with warning or blocking by default, but when those idiots remove my ability to do what I need to do (whitelist) I end up having to keep an older version of the browser with more holes in it just to connect to this UPS, that switch, this copier, etc.
1. Re:Overrides by Anonymous Coward · 2015-11-05 18:12 · Score: 0
  
  Nice to meet another person stuck with Firefox 38 for the time being.
2. Re:Overrides by kthreadd · 2015-11-05 19:15 · Score: 1
  
  You can't have two versions installed at the same time?
3. Re:Overrides by Zuriel · 2015-11-05 19:17 · Score: 5, Informative
  
  You can join the ranks of people holding on to WinXP virtual machines because they need them to administer that one device that needs a certain version of Java 1.4 and Firefox 3.6.
4. Re:Overrides by aduxorth · 2015-11-05 21:03 · Score: 1
  
  Those sorts of people should just install one of the free VM products (QEMU (linux) Virtual PC (Windows)) available for their machine, install the os and only use it when required.
  There are also a few paid ones available.
  Do this would provide a greater level of security.
5. Re: Overrides by Anonymous Coward · 2015-11-05 21:36 · Score: 0
  
  What device is that? And what manufacturer? Hang them out so that no one buys them.
6. Re:Overrides by EmeraldBot · 2015-11-05 21:39 · Score: 1
  
  Those sorts of people should just install one of the free VM products (QEMU (linux) Virtual PC (Windows)) available for their machine, install the os and only use it when required. There are also a few paid ones available. Do this would provide a greater level of security.
  
  ranks of people holding on to WinXP virtual machines
  
  It's not quite so bad as you think, then :)
  
  --
  "Set a man a fire, he'll be warm for the rest of the night. Set a man afire, he'll be warm for the rest of his life."
7. Re: Overrides by Anonymous Coward · 2015-11-05 22:00 · Score: 0
  
  They're not for sale anymore. The point is I shouldn't have to throw an existing device away because it uses a deprecated hashing algorithm for logging in.
8. Re:Overrides by Gaygirlie · 2015-11-05 22:33 · Score: 2
  
  Why not just use a portable version of some old Firefox, for example? If you use the portable, outdated version only for the outdated devices and the up-to-date Firefox everything else it shouldn't be too much of an issue?
9. Re:Overrides by aduxorth · 2015-11-05 23:22 · Score: 1
  
  whoops, missed the virtual machines bit
10. Re: Overrides by Anonymous Coward · 2015-11-05 23:58 · Score: 0
  
  Why not? Your device has been broken.
11. Re:Overrides by Big+Hairy+Ian · 2015-11-06 00:22 · Score: 2
  
  The problem with the Internet of Things is that nobody seems to issue security updates for the plethora of devices we have plugged into our networks and when they do it's almost impossible to actually apply them.
  
  --
  Build a Man a Fire, and He'll Be Warm for a Day. Set a Man on Fire, and He'll Be Warm for the Rest of His Life.
12. Re: Overrides by jabuzz · 2015-11-06 01:12 · Score: 1
  
  All of them is the short answer. I have at work a myriad of browser version to deal with embedded management devices that no longer work with modern browsers. The latest is that my 3.5 year old Dell C6100's all still under maintenance won't work with either Chrome or Firefox (shitty SHA1 only it appears), and there is no update from Dell. I also have a range of Sun/Oracle kit again still all under maintenance, and again all does not work. The Sun/Oracle kit is the biggest joke as I have to maintain random old versions of Java to use the ILOM because it doesn't work with
  There should be some dam option to let me say everything on network X.X.X.X/X (aka my totally private physically separate management network) just use whatever out of date shit they want, don't complain about duplicate certificates or anything else either.
13. Re: Overrides by Anonymous Coward · 2015-11-06 01:38 · Score: 0
  
  Somehow suggesting that one NOT be nightmarishly paranoid and driven into massive consumption by it?
14. Re: Overrides by sexconker · 2015-11-06 05:23 · Score: 2
  
  APC SmartUPS
  Dell PowerConnect switches
  HP switches (forget the name of the line)
  Canon, Konica, and Xerox copiers
  Etc.
  These types of things are in place for decades, and all require some sort of ancient voodoo tool chain to fully manage.
  Lord help you if you need to connect to an old UPS or switch via serial. 99 times out of 100 you won't have a serial port on any convenient device, the UPS to serial adapters only work half the time even when you can figure out the specific settings for the device, and then you run the risk running into a device that demands a non-standard cable with fucked-up pin mapping - I'm looking at you, APC.
  It's gotten to the point that every device we deploy gets deployed with the serial cable permanently attached AND a USB adapter that is known to work with it. Then the device is covered in labels with shit like the internal IP, what flow control/etc. settings you need for serial, and which dark god you must pray to in order to get in and do your job.
15. Re:Overrides by sexconker · 2015-11-06 05:25 · Score: 1
  
  That's exactly what I do.
  But I need multiple versions for different pieces of shit.
16. Re: Overrides by Anonymous Coward · 2015-11-06 05:30 · Score: 0
  
  Any "unsupported" (read as greater than 90days to three years old) printer, UPS, copier, building control, security camera, etc that was built using java, activex or some other proprietary locked-in device.
  HP printers come to mind on the Java front.
17. Re: Overrides by Anonymous Coward · 2015-11-06 08:31 · Score: 0
  
  Replacing the printer that lives on an internal network because the web management interface, which I only use one every few years, is slightly insecure is stupid. It's not broken.
18. Re: Overrides by Anonymous Coward · 2015-11-06 20:39 · Score: 0
  
  Do you have a web server on your network? If yes, let it act as a proxy. You may use a more contemporary certificate on the browser hop, and you don't have to throw the printer out. When you do, eventually, be sure to pick one with open or hackable firmware.
19. Re:Overrides by haruchai · 2015-11-07 14:30 · Score: 1
  
  I have this problem with devices that need older versions of Java. I keep around a Win 2003 VM just to be able to use web interfaces for some old production hardware that the business doesn't want to pay to replace until it dies.
  
  --
  Pain is merely failure leaving the body
Leave it to the people by Anonymous Coward · 2015-11-05 18:03 · Score: 0

to decide. Tracie Spencer says as much. She goes on to say, we don't need no fucking nannies telling us how to run our own fucking lives. So bugger off bitches! Yes, she said this.
Forced to click through by Sits · 2015-11-05 18:46 · Score: 4, Informative

My experience of these changes is that you'll be forced to click through a warning in your browser even if you installed the certificate (or the root CA signing the certificate). The Microsoft page about no longer trusting SHA1 certs is confusing in this respect because it includes information about signing Windows binaries but it does say

Windows [...] will no longer trust any code that is signed with a SHA-1 code signing certificate and that contains a timestamp value greater than January 1, 2016
That document also says it only applies to certs that are in the Microsoft Root Certificate Program so ones you've manually installed might not be affected.
This is slightly different to the Mozilla's SHA-1 deprecation information:

After January 1, 2017, we plan to show the “Untrusted Connection” error whenever a SHA-1 certificate is encountered in Firefox.
Perhaps this isn't the override you were thinking of but it doesn't sound like a total block.
git by Anonymous Coward · 2015-11-05 19:13 · Score: 0

So does banning the SHA-1 algorithm mean Git on Windows will be a NO-GO after that?
1. Re:git by jonwil · 2015-11-05 19:19 · Score: 3, Insightful
  
  No, this only affects SSL certificates using the SHA-1 hash. Git isn't using the SHA-1 hash in a way where generating a collision would have security risks so there is no reason why anything has to change for Git.
2. Re:git by Anonymous Coward · 2015-11-05 20:42 · Score: 0
  
  No, this only affects SSL certificates using the SHA-1 hash. Git isn't using the SHA-1 hash in a way where generating a collision would have security risks so there is no reason why anything has to change for Git.
  Quoting a post from the old article quoting another article quoting an old answer from Linus on the issue:
  
  [...] it's not really a big deal.
3. Re:git by Anonymous Coward · 2015-11-06 02:04 · Score: 0
  
  I don't know the internal of git, but can you elaborate a bit?
  If I can make some code sha1 clash, maybe mitm-ing a git pull, moving something like:
  if (uid == 0)
  to
  if (uid = 0)
  that sounds like a problem that can hit git, too.
  What is used in git to generate the sha?
4. Re:git by Anonymous Coward · 2015-11-06 05:06 · Score: 0
  
  Because the SHA-1 is the same, the git pull will ignore the modification as the file is the same. Additionally, any attempt to push your change will also be ignored. If somehow the changes were taken through, the system could still detect it if you used the tools to look for repo damage, as their is a very chance the diffs and metadata and whatnot would not match.
5. Re:git by barbariccow · 2015-11-06 09:57 · Score: 1
  
  if (uid == 0)
  to
  if (uid = 0)
  I CAN'T BELIEVE YOU POSTED THIS 0-DAY CODE ON HOW TO MITM SHA1! Did you even BOTHER to notify the correct people and give them the 90 days to correct such a mistake??
6. Re:git by Bengie · 2015-11-07 10:06 · Score: 1
  
  They skirt the issue by assuming you're only talking about remote attacks. Many people use 3rd-parties to host git, like github. It is possible for someone to have direct access and manipulate git to potentially make unnoticed modifications.
Try not to be misguided by GuB-42 · 2015-11-05 20:33 · Score: 5, Insightful

It's fine rejecting insecure certificates but sometimes, I'd rather have browsers get their priorities in order.
If you go on a SSL website that uses a self-signed certificate or use a slightly outdated one, you are presented with a scary warning page with multiple clicks needed to get to it. However, plain HTTP goes right through even though it is less secure than SSL with any bogus certificate.
Instead of a ban, I'm all for a rating system, like :
- Strong : everything OK, strong crypto
- Medium : slightly outdated, weaker crypto (SHA-1 could be on this level)
- Weak : self-signed, completely outdated
- None : HTTP
- Dangerous : revoked, mismatched certificate, suspect behavior (such as a decrease in security from last visit)
Only the "dangerous" category should trigger a warning, for the other categories, a different "lock" icon should be sufficient. Like the crossed-out "https" in Google Chrome.
1. Re:Try not to be misguided by Erik+Hensema · 2015-11-05 21:35 · Score: 0
  
  Posting sensitive data to an unauthenticated server is very bad. For instance, when your online banking environment suddenly uses a self signed certificate, you should notice. This is a very bad situation, and should fall within the "dangerous" category and certainly not in the "weak" category.
  
  --
  This is your sig. There are thousands more, but this one is yours.
2. Re:Try not to be misguided by petermgreen · 2015-11-05 22:04 · Score: 1
  
  The problem with the lock icon and similar things is it arrives too late. By the time the user sees it they have already interacted with the server and potentially sent it sensitive information.
  Consider for example a login form on https://foo.mycorp.com/ that submits the login details to https://bar.mycorp.com/ .
  
  --
  note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
3. Re:Try not to be misguided by behrooz0az · 2015-11-05 22:47 · Score: 2
  
  I quote GP:
  
  suspect behavior (such as a decrease in security from last visit)
  
  --
  Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion. -- Spazmania (174582)
4. Re:Try not to be misguided by GuB-42 · 2015-11-05 22:58 · Score: 3, Insightful
  
  Indeed but posting sensitive data unencrypted is even worse and the browser won't say anything about it.
  The problem is that the browser has no simple way of knowing if the site is sensitive or not. The best it can do is to tell you clearly about the level of security so that you can react accordingly.
  "Dangerous" would be "worse that unencrypted" and should be reserved for cases where an attack is strongly suspected, cases where the error is unlikely to be simply the result of poor maintenance (outdated) or not wanting to deal with certificate authorities (self-signed).
  Also note that the examples I gave are not necessarily the best. The true conditions should be determined by actual data. But, I sometimes see myself going to the http version of a (non sensitive) site to avoid the warning, that's retarded and browsers shouldn't encourage this behavior. Also, wanting to visit a broken https site once doesn't mean I want to add an exception forever.
5. Re:Try not to be misguided by Erik+Hensema · 2015-11-05 23:24 · Score: 1, Insightful
  
  Then the first visit is always unsafe since no data is known. Now you can get valid data by checking the certificate, but since that's not what the OP wants, what's left?
  
  --
  This is your sig. There are thousands more, but this one is yours.
6. Re:Try not to be misguided by Anonymous Coward · 2015-11-05 23:39 · Score: 0
  
  You're wasting your time. Browser manufactuerers have set out to destroy encryption on the web, one foundation at a time.
7. Re:Try not to be misguided by Anonymous Coward · 2015-11-06 02:14 · Score: 0
  
  How is that any different than what is happening now?
  The first visit is always unsafe, and the CAs issue bogus shit all the time.
8. Re:Try not to be misguided by squiggleslash · 2015-11-06 05:16 · Score: 1
  
  I'm not sure that example is much of a problem. The certificate is checked, and the user asked, before the actual HTTP request is made. The sequence is "Set up secure link, if there's a problem check with the user, if everything's OK so far send the GET or POST, header, and form data."
  
  --
  You are not alone. This is not normal. None of this is normal.
9. Re:Try not to be misguided by SilentChasm · 2015-11-06 14:09 · Score: 1
  
  Mozilla is working on that:
  https://blog.mozilla.org/secur...
10. Re:Try not to be misguided by Bengie · 2015-11-07 08:25 · Score: 1
  
  "Weak" is less safe than "none". What's "better". telling someone they have a secure house when it is not or telling someone they're in an unsecure house?
  
  Rule of thumb, wrong information is always the worst kind of information, even more than no information.
11. Re:Try not to be misguided by Bengie · 2015-11-07 08:28 · Score: 1
  
  CAs don't issue bugs certs "all the time". Recently, a CA got caught when some of its employees issued a few invalid certs for internal testing, and they almost got blackballed by the industry. CAs risk losing their entire business issuing false certs.
Safari 9 on the Mac... by Rick+Zeman · 2015-11-06 02:22 · Score: 2

...has a menu option in the develop menu for "Treat SHA-1 Certificates as insecure." Nice having the flexibility to turn that on and off depending on need.
What about SHA2 support for DHE? by Lothsahn · 2015-11-06 04:43 · Score: 1

https://bugzilla.mozilla.org/s...

Firefox only currently supports DHE with SHA1. Are they going add support for SHA256 DHE when they disable SHA1?

To quote Michael Staruch from the above link:
It looked more like attempts to discredit DHE and push everyone into ECC. And I am not so sure if that's best way to protect our privacy, especially with multiple TLS clients supporting only NSA Suite B curves.

Mozilla, we really need DHE to work with SHA256 and GCM. Sure, fallback to something else (with a second connection, if necessary) if weak dhparams are used by the server.

--
-=Lothsahn=-