Slashdot Mirror
SHA-1 Cutoff Could Block Millions of Users From Encrypted Websites (csoonline.com)
itwbennett writes: As previously reported on Slashdot, browser makers are considering an accelerated retirement of the older and increasingly vulnerable SHA-1 function. But Facebook and CloudFlare are warning some 37 million users of old browsers and operating systems that don't support SHA-2 will be left without access to encrypted websites. The majority of them are located in some of the "poorest, most repressive, and most war-torn countries in the world," CloudFlare's CEO Matthew Prince said Wednesday in a blog post. Facebook has solved this problem by building a mechanism that allows its certificates to be switched automatically based on the browser used by the visitor.
> The majority of them are located in some of the "poorest, most repressive, and most war-torn countries in the world,"
Everybody should donate now today, they are probably accepting all kinds of SHA256 signed certs!
People running obsolete systems feed botnets and impede others from staying current. Upgrade or fuck off.
Can't upgrade because reasons? Go cry to whomever is creating that problem for you, and if that amounts to you then keep it to yourself.
That even Windows XP support the latest browsers still... or at least some variant of them.
If they don't want to move on from IE 6, that's their god damn problem.
Some of the older Oracle products only support SHA-1. Upgrading to a newer version or Oracle will cost them millions. Won't someone think of the Oracle user base?
So let me see if I understand Facebook's approach here: there are non-secure certificates. Facebook will fix the problem by downgrade connections to use non-secure certificates. Bad guys would never pretend to need a non-secure certificate. Therefore, Facebook remains safe?
John
this is just ridiculous. It took me only a few minutes on the Internet to regenerate the certificates last year to move to SHA-2. I am actually more concerned with all the fallout we have due to TLS1.0 deprecation, which hit us early on this year actually, even though it wasn't supposed to happen until summer of 2016. Guess what, a number of payment processors forced us basically to lose browsers that only support TLS1.0. Yes, a number of people are not on browsers that support TLS1.1 or 1.2 yet. To keep our PCI compliance we have to switch away from TLS1.0 and our processors basically forced us this year. So we had to get around that in a number of ... less than perfect ways.
You can't handle the truth.
The RSS feed for CSO Online can be found here.
Some of the older Oracle products only support SHA-1. Upgrading to a newer version or Oracle will cost them millions. Won't someone think of the Oracle user base?
Nonsense. Postgres is free.
Most of the places that they say do not update are home of some of the worse kinds of people. I'm talking about terrorist that use social media and scammers that use the internet to steal from people using social media. By cutting them off from using Facebook at least that would slow them down some.
The only thing that I'm concerned about is agencies that use those services to help refugees and other people that actually need help. They would be hindered by this process. And most of those relief agences are the ones that need it the most and can't afford to upgrade.
Supporting World Peace Through Nuclear Pacification
If two companies that hate each other agree that security needs to be updated in their software to protect a vast majority of people then its probably the right thing to do. Maybe we should just do away with encryption all together.. Maybe every one should take the locks off their door and cars so everyone can have access. Getting companies to upgrade security is a pain in the butt .. how may of you still swipe your credit cards instead of inserting the chip? because merchants haven't updated their systems.. Walmart is the only place around here that reads chips on cards and some places like AdvanceAutoParts still require you to hand your card to the cashier so they can swipe it.. yeah thats secure...
I heard they were initially going to name the company "Facefuck" due to the fact that Zuckerberg reportedly enjoyed large hung african american males fucking his face.
Can anyone confirm this is accurate?
I have one of these old browsers, and I'm not being cut off of the we
- Website owners configure allowable ciphers on their websites, which presumably the configure based on their user requirements.
- Browsers negotiate strongest supported configurable ciphers advertised by websites.
Why the hell do browser companies want to remove SHA1 support all together? Seriously, whats next, will they just stop support plain HTTP because HTTP is far more likely to be abused.
Give the users some kind of feedback to know that SHA1 is being used by the site and that they should maybe get their shit together, but whether or not support is dropped should be up to the site administrator.
The current Firefox still runs on XPSP3 and doen't use the Windows Crypto. I guess Chrome will also run. Thus not a big deal for Windows users.
Oracle users deserve all the pain they can get!
Don't complain of neck pain after hanging yourself.
Fortunately, slashdot will remain accessible as it still hasn't entered the 2010's and added encryption yet!
At least we hope so.
.
Maybe a loss of Internet access is just the jolt they need to get off their butt and upgrade.
The problem with that is that there is no actual way to detect that an old browser doesn't support SHA-2.
For example, older versions of Firefox/NSS since 2003 have supported SHA-2 server certificates, but not SHA-2 in TLS cipher suites as the MAC algorithm, which wasn't specified until years later.
The TLS ClientHello message does not specify which types of hash algorithm the client supports for certificates, only the list of cipher suites that the client supports.
Thus, Facebook, or anyone else, has no way of determining if a client really doesn't support SHA-2 server certificates.
What they are probably doing is assuming that clients that don't support SHA-2 MAC in TLS cipher suites . But that's a wrong assumption. Many older clients will be downgraded to SHA-1 server certificates as a result, even though they support SHA-2 certificates. And they will have no way of knowing that this happened.
-- Julien Pierre http://www.madbrain.com/blog
Most web servers do that automatically. I'd be willing to bet that 99.999% of the web servers in use do, actually. Even the ones that can't do SHA-1 anymore, still have multiple levels they support; the server should negotiate for the highest shared level. Why is this being painted as some sort of innovation Facebook has miraculously engineered? (Effectively) every single web server and web browser out there is already doing this...
It's irrelevant, anyway - PCI-DSS will mandate it at some point for any site that accepts credit cards (if it hasn't already: PCI-DSS already mandates that support for all versions of SSL is dropped, and "early TLS" is dropped - they've not defined "early TLS" but TLS 1.0 is known to be vulnerable to attacks already, and TLS 1.1 is structurally weak, so I bet within a year this will be clarified to mean "both TLS 1.0 and TLS 1.1 must not be enabled" by the webserver. By June 2016 you have to get rid of TLS 1.0 if you accept credit card payments.
Some quite recent browsers don't support TLS 1.2 by default (I think some fairly recent versions of Internet Explorer need TLS 1.2 switching on manually).
Oolite: Elite-like game. For Mac, Linux and Windows
Postgres is free.
PostgreSQL is free until the application that you just tried to migrate from Oracle Database to PostgreSQL throws a syntax error. Then it costs time (which is money) to fix the apps if they're in-house or free, or it costs money to either purchase an upgrade to add PostgreSQL compatibility to a proprietary application or to migrate entirely from a proprietary application for which PostgreSQL compatibility is not available. Or does PostgreSQL's PL/pgSQL parser accept all PL/SQL and MySQL syntax to allow it to be used by applications that expect some Oracle product?
Comments like yours make open source advocates look like idiots.
Yes, PostgreSQL is a fine database system. Yes, it's free. Yes, it's probably an excellent choice for new installations.
But transitioning from Oracle, or any other RDBMS, to PostgreSQL is definitely not free!
Many organizations would have thousands, tens of thousands, and even hundreds of thousands of databases to transition.
Much of the software that uses these databases only supports the database currently in use, and not PostgreSQL.
A lot of that software is also closed-source third-party software, so it couldn't even be ported to PostgreSQL by its users.
Then they'd need to train their existing admins, or bring in new admins, to manage and maintain these systems.
There are also the many people who directly query these DBs who would have to learn to use PostgreSQL.
When you make an asinine suggestion, like you just did, it doesn't just make you look bad, but it makes all PostgreSQL and open source supporters look like kooks.
So I suggest that you apologize, and avoid making similarly idiotic comments in the future.
Persistent login is a completely orthogonal problem to TLS certificate forgery. What's going on is that Mozilla and Facebook are continuing to make SHA-1 access available and dealing with forgeries on a reactive basis until enough of the user base has migrated to allow the proactive approach of allowing only SHA-256 access.
Firefox wouldn't let me. At all. No option to override. Just "nope, not gonna do it". Had to use a real browser that gives options like Konqueror.
Try this: Allow connections from TLS 1.2 and TLS 1.0. But if the server detects that the client has fallen back to obsolete TLS, display an interstitial page once in each session, explaining the situation in a manner that correctly yet politely places the blame:
Then replace all "Check Out" buttons and links to manage saved payment credentials (if any) with a "Learn How to Check Out" that re-shows the interstitial.
The Firefox installer is in the neighborhood of 40 MB. That's two and a half hours of tying up the phone line if you have v.90/v.92 dial-up, or a nonzero cost if your ISP charges per bit as many cellular and satellite ISPs do.
Seriously, whats next, will they just stop support plain HTTP because HTTP is far more likely to be abused.
They're heading in that direction. Service Workers are the new mechanism for a web application to continue to work during interruptions in the Internet connection, and browsers already forbid use of Service Workers delivered through HTTP unless they came from localhost.
But another difference has been repeated in previous articles about Perspectives, Convergence, WoSign, Let's Encrypt, and other means of working around the cost of avoiding MITM attacks on TLS. The difference between cleartext and low-grade TLS, such as HTTPS with a self-signed certificate or old versions of TLS or weak hash algorithms, is a difference between a true sense of insecurity and a false sense of security. With HTTP, you know what you're not getting, as the globe in the address bar represents everyone who can potentially intercept your communication.
By definition, anyone here is someone the NSA doesn't care about anyway, so who cares about encryption?
Bill Gates not even needed
Without encryption, anyone can sniff your session cookie, clone it, and post Goatse as fahrbot-bot.
For production sites, you don't use the auto-generated cert.
Correct: you export a CSR from the auto-generated keypair and use that to buy a certificate. Normally, you'd export one server's auto-generated keypair, export a CSR, buy the certificate, and import it to the other servers. But if you're paranoid about never exporting a private key, you'll end up with a separate certificate on each server in your load-balancing cluster.
I thought The Donald wanted to "close up the internet" to the very same set of people....
You have to update eventually... let the old things rot. Why do we even have to support the old junk anymore?
The majority of them are located in some of the "poorest, most repressive, and most war-torn countries in the world,"
It's their fault. People should be responsible for the community they're in. If their community is like shit, it's their fault.
Why, exactly, would it be a good thing to use some sort of janky hack to allow people to use encryption that we strongly suspect of being dangerously broken, or close to it?
Yes, it's unfortunate that there are people stuck on hardware or software that can't handle updated algorithms; but their ability to use encrypted communication is compromised by the fact that SHA1 is tottering, not by the fact that some servers might stop negotating connections using it. Is there some benefit I'm not understanding here to bodging something together so that antique browsers can enjoy a false sense of security?
Is the notion that SHA1 isn't "all that broken", and is good enough to keep uninteresting traffic safe? Or does Zuckerberg just not want to lose that comforting little 'lock' symbol for his 40 million poorest facebook chattels?
Note that facebook's "solution" allows a malicious intermediary to fake that it is the insecure browser on behalf of someone using a secure browser.
Meaning that someone could man-in-the-middle the safe browsers by pretending to be the unsafe browser to Facebook.
This seems stupid.
If you have the Internet, just download Firefox or Chrome and your problem will be fixed.
If you don't have the Internet, then you have nothing to worry about.
If you don't understand why you should not use IE6, then fuck off, you are what makes the Internet a horrible place and you are probably already a weaponized zombie in someone's botnet. Just kill yourself.
You'd better have a monopoly on the product you are selling or the customer will just decide "the hell with that" and buy from another site that is easier.
If you see your would-be customers leaving for competing merchants that blatantly violate PCI DSS, report each noncompliant merchant to the company that handles its payment processing. When competing merchants start either turning away customers in the same way or losing their merchant accounts, watch upgrade conversions increase.
poorest, most repressive, and most war-torn countries in the world
Go cry to whomever is creating that problem for you, and if that amounts to you then keep it to yourself.
what recourse does one have?
Ending the repression and the combat
How would affected end users go about that, given the gross wealth inequality endemic in those parts of the world?
about:config
securitytls.insecure_fallback_hosts
security.tls.version.max
security.tls.version.min
security.tls.unrestricted_rc4_fallback
are the options you need to set appropriately. I can't remember exactly what they all do, but a client had a similar issue recently and it was one of these settings that corrected it.
I own a website with an SHA-1 cert. what I want to know is why Thawte, GoDaddy,Verisign,Comodo, etc. kept selling SHA-1 certs when they knew it was vulnerable? Last time I renewed the cert, I do not recall getting a warning about the vulnerability, at least not a stern warning.
how about you fix all that shitty written software?
that don't support SHA-2 will be left without access to encrypted websites.
This is much ado about nothing. The devices that cannot support it are dead ended already, They are not safe to use, so it makes sense that very soon they won't even be allowed to be used with SSL websites, even if the Webmaster wanted them to work. All the SSL websites I manage are already using SHA-2 certificates Besides you DONT use an OS without SHA2 support and have zero issues today
Also, the SHA-1 certs are considered weak and unsuitable for secure usage at this point, even sites such as Amazon and BankOfAmerica are using SHA-2 certs.
I think all the major e-tailers have X509 certs with a SHA-2 signature at this point.
How does Facebook/Cloudflare fallback mechanism work?
I have saw a few explanation here about SHA1 cipher negotiation, but this is about certificate, not cipher.
And this sort of thing is why I oppose default-encrypting of everything.
Once this kicks in, people with older systems and hardware or who can't go to newer browsers for whatever reason will be cut-off from large chunks of the Internet and Web - Sites that redirect their http to https like Google currently does will mean a lot of people won't be able to use it any more.
And for what? A false sense of security?
Current certs are already backdoor'd up the wazoo and seem to get compromised every other month by some CA getting hacked.
On top of it, SHA1 still requires a good deal of work to generate a useful collision, yet the current stance seems to suggest it's considered worse than an unencrypted connection, or being blocked completely?!
SHA1 should be still usable but with a warning - This is how Opera used to do things before it became a Chrome skin, giving an easily understandable visual rating on how secure and trustworthy a site was, not just secure/unsecure like all current browsers seem to do.
I hate to see the fragmentation - The Web is supposed to be an open platform, accessible by all and any, but as time moves on you are forced to used a tiny subset of browsers and you have to be rich enough to afford the most recent hardware to run it.
There are still lots of people who still use Win98, 2k, XP, Amigas etc., some through choice, others less so. Is this paranoia over encryption so much more important that we should renege on the whole point of the Internet, which is the free flow of information?
And what happens when the current system gets broken, because in all likelyhood it will, either through bugs and flaws, someone finding a shortcut or next-gen tech like quantum computing.
What happens when encryption protocols become so complex that we need computers so powerful that we're burning kilowatts of power just to read the daily news?