Slashdot Mirror
SHA-1 Cutoff Could Block Millions of Users From Encrypted Websites (csoonline.com)
itwbennett writes: As previously reported on Slashdot, browser makers are considering an accelerated retirement of the older and increasingly vulnerable SHA-1 function. But Facebook and CloudFlare are warning some 37 million users of old browsers and operating systems that don't support SHA-2 will be left without access to encrypted websites. The majority of them are located in some of the "poorest, most repressive, and most war-torn countries in the world," CloudFlare's CEO Matthew Prince said Wednesday in a blog post. Facebook has solved this problem by building a mechanism that allows its certificates to be switched automatically based on the browser used by the visitor.
> The majority of them are located in some of the "poorest, most repressive, and most war-torn countries in the world,"
Everybody should donate now today, they are probably accepting all kinds of SHA256 signed certs!
That even Windows XP support the latest browsers still... or at least some variant of them.
If they don't want to move on from IE 6, that's their god damn problem.
Some of the older Oracle products only support SHA-1. Upgrading to a newer version or Oracle will cost them millions. Won't someone think of the Oracle user base?
So let me see if I understand Facebook's approach here: there are non-secure certificates. Facebook will fix the problem by downgrade connections to use non-secure certificates. Bad guys would never pretend to need a non-secure certificate. Therefore, Facebook remains safe?
John
this is just ridiculous. It took me only a few minutes on the Internet to regenerate the certificates last year to move to SHA-2. I am actually more concerned with all the fallout we have due to TLS1.0 deprecation, which hit us early on this year actually, even though it wasn't supposed to happen until summer of 2016. Guess what, a number of payment processors forced us basically to lose browsers that only support TLS1.0. Yes, a number of people are not on browsers that support TLS1.1 or 1.2 yet. To keep our PCI compliance we have to switch away from TLS1.0 and our processors basically forced us this year. So we had to get around that in a number of ... less than perfect ways.
You can't handle the truth.
The RSS feed for CSO Online can be found here.
Some of the older Oracle products only support SHA-1. Upgrading to a newer version or Oracle will cost them millions. Won't someone think of the Oracle user base?
Nonsense. Postgres is free.
I have one of these old browsers, and I'm not being cut off of the we
- Website owners configure allowable ciphers on their websites, which presumably the configure based on their user requirements.
- Browsers negotiate strongest supported configurable ciphers advertised by websites.
Why the hell do browser companies want to remove SHA1 support all together? Seriously, whats next, will they just stop support plain HTTP because HTTP is far more likely to be abused.
Give the users some kind of feedback to know that SHA1 is being used by the site and that they should maybe get their shit together, but whether or not support is dropped should be up to the site administrator.
"Most of the places that they say do not update are home of some of the worse kinds of people."
Sources? Even if this is true, the ratio of terrorist to non-terrorist is still probably quite small.
"And most of those relief agences are the ones that need it the most and can't afford to upgrade."
Wait, which is it? Relief agencies or 'worse kinds of people'?
Nice try. Brush up on your critical thinking and play again some time!
The current Firefox still runs on XPSP3 and doen't use the Windows Crypto. I guess Chrome will also run. Thus not a big deal for Windows users.
Oracle users deserve all the pain they can get!
Don't complain of neck pain after hanging yourself.
Fortunately, slashdot will remain accessible as it still hasn't entered the 2010's and added encryption yet!
At least we hope so.
"Most of the places that they say do not update are home of some of the worse kinds of people."
Sources? Even if this is true, the ratio of terrorist to non-terrorist is still probably quite small.
"And most of those relief agences are the ones that need it the most and can't afford to upgrade."
Wait, which is it? Relief agencies or 'worse kinds of people'?
Nice try. Brush up on your critical thinking and play again some time!
You need to brush up on your critical thinking. The terrorists don't use updated machines because the "relief" agencies don't update their machines.
> home of some of the worse kinds of people
Like Seattle? You do realize a lot of us here in Microsoftland have to run very old versions of IE for internal web sites. Our SharePoint extensions require MSIE6. Our accounting system uses ActiveX, and it works only with IE7. IE8 is required for our Microsoft's attempt at an ERPish system. Since Microsoft doesn't allow you to install more than one version of IE, Microsoft is forcing corporations to buy multiple computers for many users. I have a laptop and two desktops so I can access those three internal sites. Microsoft is making a lot of money with these limitations they're adding to their server software.
And most of those relief agences are the ones that need it the most and can't afford to upgrade.
Clicked 'Download Firefox Now'. Total cost: $0.
Have gnu, will travel.
ISIS has their own computer help line. I'd say the terrorists have better IT support than most 'mericans...
I've abandoned my search for truth; now I'm just looking for some useful delusions.
What is the point of developing in the browser if you are only going to support one specific version from one specific vendor?
.
Maybe a loss of Internet access is just the jolt they need to get off their butt and upgrade.
People running obsolete systems feed botnets and impede others from staying current.
This. The title of this article is very slanted; how about "SHA-1 Cutoff Will Shut Down Insecure Access" instead?
Can't upgrade because reasons? Go cry to whomever is creating that problem for you
Such crying would fall on deaf ears, as mobile device manufacturers routinely announced end of support not only for handsets that are still under 2-year financing but also for handsets that are still being sold in stores. And when "whomever" amounts to the "poorest, most repressive, and most war-torn countries in the world," as the article mentions, what recourse does one have?
The problem with that is that there is no actual way to detect that an old browser doesn't support SHA-2.
For example, older versions of Firefox/NSS since 2003 have supported SHA-2 server certificates, but not SHA-2 in TLS cipher suites as the MAC algorithm, which wasn't specified until years later.
The TLS ClientHello message does not specify which types of hash algorithm the client supports for certificates, only the list of cipher suites that the client supports.
Thus, Facebook, or anyone else, has no way of determining if a client really doesn't support SHA-2 server certificates.
What they are probably doing is assuming that clients that don't support SHA-2 MAC in TLS cipher suites . But that's a wrong assumption. Many older clients will be downgraded to SHA-1 server certificates as a result, even though they support SHA-2 certificates. And they will have no way of knowing that this happened.
-- Julien Pierre http://www.madbrain.com/blog
Most web servers do that automatically. I'd be willing to bet that 99.999% of the web servers in use do, actually. Even the ones that can't do SHA-1 anymore, still have multiple levels they support; the server should negotiate for the highest shared level. Why is this being painted as some sort of innovation Facebook has miraculously engineered? (Effectively) every single web server and web browser out there is already doing this...
It's irrelevant, anyway - PCI-DSS will mandate it at some point for any site that accepts credit cards (if it hasn't already: PCI-DSS already mandates that support for all versions of SSL is dropped, and "early TLS" is dropped - they've not defined "early TLS" but TLS 1.0 is known to be vulnerable to attacks already, and TLS 1.1 is structurally weak, so I bet within a year this will be clarified to mean "both TLS 1.0 and TLS 1.1 must not be enabled" by the webserver. By June 2016 you have to get rid of TLS 1.0 if you accept credit card payments.
Some quite recent browsers don't support TLS 1.2 by default (I think some fairly recent versions of Internet Explorer need TLS 1.2 switching on manually).
Oolite: Elite-like game. For Mac, Linux and Windows
Postgres is free.
PostgreSQL is free until the application that you just tried to migrate from Oracle Database to PostgreSQL throws a syntax error. Then it costs time (which is money) to fix the apps if they're in-house or free, or it costs money to either purchase an upgrade to add PostgreSQL compatibility to a proprietary application or to migrate entirely from a proprietary application for which PostgreSQL compatibility is not available. Or does PostgreSQL's PL/pgSQL parser accept all PL/SQL and MySQL syntax to allow it to be used by applications that expect some Oracle product?
Comments like yours make open source advocates look like idiots.
Yes, PostgreSQL is a fine database system. Yes, it's free. Yes, it's probably an excellent choice for new installations.
But transitioning from Oracle, or any other RDBMS, to PostgreSQL is definitely not free!
Many organizations would have thousands, tens of thousands, and even hundreds of thousands of databases to transition.
Much of the software that uses these databases only supports the database currently in use, and not PostgreSQL.
A lot of that software is also closed-source third-party software, so it couldn't even be ported to PostgreSQL by its users.
Then they'd need to train their existing admins, or bring in new admins, to manage and maintain these systems.
There are also the many people who directly query these DBs who would have to learn to use PostgreSQL.
When you make an asinine suggestion, like you just did, it doesn't just make you look bad, but it makes all PostgreSQL and open source supporters look like kooks.
So I suggest that you apologize, and avoid making similarly idiotic comments in the future.
Persistent login is a completely orthogonal problem to TLS certificate forgery. What's going on is that Mozilla and Facebook are continuing to make SHA-1 access available and dealing with forgeries on a reactive basis until enough of the user base has migrated to allow the proactive approach of allowing only SHA-256 access.
One place I worked at got around that by using something called Thinstall (now VMWare ThinApp.) They made a "golden master", took a snapshot, installed IE, took another snapshot, then was able to distribute that blob (which ran IE in a sandbox.) That way, those sites that required IE 6 still ran, while other sites which required newer versions of IE were accessible as well.
My last job, I solved an issue similar to this (a certain appliance that had to have a certain version of OS, IE and Java, and not a rev older or newer) by having specific Windows VMs that were able to be remotely logged in. It took RAM and disk space, but it did allow for backlevel use at anytime. For security reasons, if nobody was logged on, the VM would get flushed, going back to a known tested snapshot. It also was on its own vSwitch behind a pfSense firewall that blocked everything but incoming RDP and communication to the appliance, so if it did get infected, the damage it could do (as it was there to only communicate with a limited amount of hosts) was limited.
Of course, the downside of virtualization is needing to have the hardware for it, but better one machine with a bunch of VMs than a number of separate boxes.
I fail to see how your organization failing to upgrade 10+ year out of date software is our problem.
Also... SharePoint. *ding*
I'm a good cook. I'm a fantastic eater. - Steven Brust
Firefox wouldn't let me. At all. No option to override. Just "nope, not gonna do it". Had to use a real browser that gives options like Konqueror.
Try this: Allow connections from TLS 1.2 and TLS 1.0. But if the server detects that the client has fallen back to obsolete TLS, display an interstitial page once in each session, explaining the situation in a manner that correctly yet politely places the blame:
Then replace all "Check Out" buttons and links to manage saved payment credentials (if any) with a "Learn How to Check Out" that re-shows the interstitial.
To work around software restriction policies (such as those implemented through AppLocker) that allow execution of DHTML applications but forbid local installation of native applications. It's the same reason that early Wii homebrew (such as WiiCade.com) relied on Flash and DHTML instead of native applications, which Nintendo forbade amateurs from developing, until the Twilight Hack blew open native homebrew.
The Firefox installer is in the neighborhood of 40 MB. That's two and a half hours of tying up the phone line if you have v.90/v.92 dial-up, or a nonzero cost if your ISP charges per bit as many cellular and satellite ISPs do.
Seriously, whats next, will they just stop support plain HTTP because HTTP is far more likely to be abused.
They're heading in that direction. Service Workers are the new mechanism for a web application to continue to work during interruptions in the Internet connection, and browsers already forbid use of Service Workers delivered through HTTP unless they came from localhost.
But another difference has been repeated in previous articles about Perspectives, Convergence, WoSign, Let's Encrypt, and other means of working around the cost of avoiding MITM attacks on TLS. The difference between cleartext and low-grade TLS, such as HTTPS with a self-signed certificate or old versions of TLS or weak hash algorithms, is a difference between a true sense of insecurity and a false sense of security. With HTTP, you know what you're not getting, as the globe in the address bar represents everyone who can potentially intercept your communication.
By definition, anyone here is someone the NSA doesn't care about anyway, so who cares about encryption?
Bill Gates not even needed
Without encryption, anyone can sniff your session cookie, clone it, and post Goatse as fahrbot-bot.
For production sites, you don't use the auto-generated cert.
Correct: you export a CSR from the auto-generated keypair and use that to buy a certificate. Normally, you'd export one server's auto-generated keypair, export a CSR, buy the certificate, and import it to the other servers. But if you're paranoid about never exporting a private key, you'll end up with a separate certificate on each server in your load-balancing cluster.
I thought The Donald wanted to "close up the internet" to the very same set of people....
You have to update eventually... let the old things rot. Why do we even have to support the old junk anymore?
The majority of them are located in some of the "poorest, most repressive, and most war-torn countries in the world,"
It's their fault. People should be responsible for the community they're in. If their community is like shit, it's their fault.
Why, exactly, would it be a good thing to use some sort of janky hack to allow people to use encryption that we strongly suspect of being dangerously broken, or close to it?
Yes, it's unfortunate that there are people stuck on hardware or software that can't handle updated algorithms; but their ability to use encrypted communication is compromised by the fact that SHA1 is tottering, not by the fact that some servers might stop negotating connections using it. Is there some benefit I'm not understanding here to bodging something together so that antique browsers can enjoy a false sense of security?
Is the notion that SHA1 isn't "all that broken", and is good enough to keep uninteresting traffic safe? Or does Zuckerberg just not want to lose that comforting little 'lock' symbol for his 40 million poorest facebook chattels?
And when "whomever" amounts to the "poorest, most repressive, and most war-torn countries in the world," as the article mentions, what recourse does one have?
Ending the repression and the combat would seem to be one option.
Perhaps it's worth considering doing that?
Note that facebook's "solution" allows a malicious intermediary to fake that it is the insecure browser on behalf of someone using a secure browser.
Meaning that someone could man-in-the-middle the safe browsers by pretending to be the unsafe browser to Facebook.
This seems stupid.
If you have the Internet, just download Firefox or Chrome and your problem will be fixed.
If you don't have the Internet, then you have nothing to worry about.
If you don't understand why you should not use IE6, then fuck off, you are what makes the Internet a horrible place and you are probably already a weaponized zombie in someone's botnet. Just kill yourself.
You'd better have a monopoly on the product you are selling or the customer will just decide "the hell with that" and buy from another site that is easier.
If you see your would-be customers leaving for competing merchants that blatantly violate PCI DSS, report each noncompliant merchant to the company that handles its payment processing. When competing merchants start either turning away customers in the same way or losing their merchant accounts, watch upgrade conversions increase.
poorest, most repressive, and most war-torn countries in the world
Go cry to whomever is creating that problem for you, and if that amounts to you then keep it to yourself.
what recourse does one have?
Ending the repression and the combat
How would affected end users go about that, given the gross wealth inequality endemic in those parts of the world?
Download Opera or Opera Mini. It runs on everything except iOS and iOS takes care of its own browser updates.
about:config
securitytls.insecure_fallback_hosts
security.tls.version.max
security.tls.version.min
security.tls.unrestricted_rc4_fallback
are the options you need to set appropriately. I can't remember exactly what they all do, but a client had a similar issue recently and it was one of these settings that corrected it.
Ending the repression and the combat would seem to be one option.
Perhaps it's worth considering doing that?
Good idea. Who should we nominate?
Two paragraphs dumbass.
The first paragraph refers to the worse kind of people, scammers and terrorist.
Second paragraph, relief agencies that are not counted as "the worse kind of people', nor are the people they are trying to help. The relief agencies that I'm talking about don't have the large budgets for non-essential stuff, like up to date computers. They have to rely on handed down computers. Most of these computers are really outdated, 200 MHz pentums or lower.
Supporting World Peace Through Nuclear Pacification
I own a website with an SHA-1 cert. what I want to know is why Thawte, GoDaddy,Verisign,Comodo, etc. kept selling SHA-1 certs when they knew it was vulnerable? Last time I renewed the cert, I do not recall getting a warning about the vulnerability, at least not a stern warning.
how about you fix all that shitty written software?
that don't support SHA-2 will be left without access to encrypted websites.
This is much ado about nothing. The devices that cannot support it are dead ended already, They are not safe to use, so it makes sense that very soon they won't even be allowed to be used with SSL websites, even if the Webmaster wanted them to work. All the SSL websites I manage are already using SHA-2 certificates Besides you DONT use an OS without SHA2 support and have zero issues today
Also, the SHA-1 certs are considered weak and unsuitable for secure usage at this point, even sites such as Amazon and BankOfAmerica are using SHA-2 certs.
I think all the major e-tailers have X509 certs with a SHA-2 signature at this point.
How does Facebook/Cloudflare fallback mechanism work?
I have saw a few explanation here about SHA1 cipher negotiation, but this is about certificate, not cipher.
Why blame his organization when it is Microsoft that is requiring MSIE 6.0. At my company, we can't even upgrade to Vista because Microsoft requires that we run XP and MSIE 6. Dealing with Microsoft requires you to be a decade or more behind the times.
Well, tough sh$t. Internet was created in the developed world, for the developed world. We owe nothing to the third-worlders, and particularly we're under no obligation to provide them with internet access. If they really need to be connected, they should install the new browsers. Cannot afford it? Then let them simply return to the banana fields and don't bother with Internet, because they don't really need it.
Maybe it's time for me to become a field agent for the CIA. I could go get a job at their IT field office and say stuff like, "That Windows 10 update offer? Yeah, I'm going to need you to click the ACCEPT button on that. Yes, I'll hold."
"So long and thanks for all the fish."
"You must be great fun at parties."
Il n'y a pas de Planet B.
And this sort of thing is why I oppose default-encrypting of everything.
Once this kicks in, people with older systems and hardware or who can't go to newer browsers for whatever reason will be cut-off from large chunks of the Internet and Web - Sites that redirect their http to https like Google currently does will mean a lot of people won't be able to use it any more.
And for what? A false sense of security?
Current certs are already backdoor'd up the wazoo and seem to get compromised every other month by some CA getting hacked.
On top of it, SHA1 still requires a good deal of work to generate a useful collision, yet the current stance seems to suggest it's considered worse than an unencrypted connection, or being blocked completely?!
SHA1 should be still usable but with a warning - This is how Opera used to do things before it became a Chrome skin, giving an easily understandable visual rating on how secure and trustworthy a site was, not just secure/unsecure like all current browsers seem to do.
I hate to see the fragmentation - The Web is supposed to be an open platform, accessible by all and any, but as time moves on you are forced to used a tiny subset of browsers and you have to be rich enough to afford the most recent hardware to run it.
There are still lots of people who still use Win98, 2k, XP, Amigas etc., some through choice, others less so. Is this paranoia over encryption so much more important that we should renege on the whole point of the Internet, which is the free flow of information?
And what happens when the current system gets broken, because in all likelyhood it will, either through bugs and flaws, someone finding a shortcut or next-gen tech like quantum computing.
What happens when encryption protocols become so complex that we need computers so powerful that we're burning kilowatts of power just to read the daily news?