Slashdot Mirror

← Back to Stories (view on slashdot.org)

SHA-1 Cutoff Could Block Millions of Users From Encrypted Websites (csoonline.com)

Posted by Soulskill on from the privacy-versus-convenience dept.

itwbennett writes: As previously reported on Slashdot, browser makers are considering an accelerated retirement of the older and increasingly vulnerable SHA-1 function. But Facebook and CloudFlare are warning some 37 million users of old browsers and operating systems that don't support SHA-2 will be left without access to encrypted websites. The majority of them are located in some of the "poorest, most repressive, and most war-torn countries in the world," CloudFlare's CEO Matthew Prince said Wednesday in a blog post. Facebook has solved this problem by building a mechanism that allows its certificates to be switched automatically based on the browser used by the visitor.

24 of 146 comments (clear)

  1. Think of all the Oracle users? by mveloso · · Score: 4, Funny

    Some of the older Oracle products only support SHA-1. Upgrading to a newer version or Oracle will cost them millions. Won't someone think of the Oracle user base?

    1. Re:Think of all the Oracle users? by jellomizer · · Score: 2

      Serves them right.

      When will people stop and realize not to dig yourself into a vendor only based solution.

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
  2. Facebook -- ??? by plover · · Score: 3, Insightful

    So let me see if I understand Facebook's approach here: there are non-secure certificates. Facebook will fix the problem by downgrade connections to use non-secure certificates. Bad guys would never pretend to need a non-secure certificate. Therefore, Facebook remains safe?

    --
    John
    1. Re:Facebook -- ??? by Errol+backfiring · · Score: 3, Interesting

      My first thought was a kind of "degrading man in the middle" attack. Alter the requests so that non-secure certificates are negotiated, then tune in to the less secure communication while the browsers show that the connection is secure. You'd still need a lot of computing power to crack the SHA-1 encrypted stream, but for criminals, either government or otherwise, that is not a huge problem.

      --
      Nae king! Nae laird! Nae yurrupiean pressedent! We willna be fooled again!
    2. Re:Facebook -- ??? by Anonymous Coward · · Score: 4, Insightful

      Nope.

      Here's how this spins out.

      If you got a nice shiny new SHA-2-only browser, and you go to the real Facebook, it has a SHA-2 cert and everything works, and you're safe
      If you got a crappy browser that can't handle SHA-2, and you go to the real Facebook, it shows a SHA-1 cert, which you trust, you are at risk, but only because you've got a crappy browser. Hate the risk? Get a newer browser
      If you got a nice shiny new SHA-2-only browser and a bad guy pretends to be Facebook, sends the SHA-1 cert, your browser says "Ugh, insecure, No" and you're safe and the bad guy wasted their time
      If you got a crappy browser that can't handle SHA-2 and a bad guy pretends to be Facebook, they might _if they spent a lot of money / resources_ fake you out. So you should have got a nice shiny new browser.

    3. Re:Facebook -- ??? by DarkOx · · Score: 2

      SHA-1 encrypted stream

      SHA-1 is NOT used to encrypt the stream. Its used to authenticate the certificate. Some other cipher like RC4, AES, 3DES, etc is selected to encrypt the stream.

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
    4. Re:Facebook -- ??? by edtice1559 · · Score: 2

      If you don't have a certificate, many server applications (I guess IIS included) will automatically generate one for you. It's not from a trusted CA and your browser will complain loudly about it. But if you accept *and pin* the certificate it guarantees against impersonation. That works fine for internal apps. For production sites, you don't use the auto-generated cert. What applications are doing is similar to what SSH does on new connections. As long as you can guarantee the authenticity of the first request, you can prevent future impersonation. If the server and client are both under your control this is a viable solution. It's not for the public internet.

  3. Free Oracle upgrades available everywhere by Anonymous Coward · · Score: 2, Funny

    Some of the older Oracle products only support SHA-1. Upgrading to a newer version or Oracle will cost them millions. Won't someone think of the Oracle user base?

    Nonsense. Postgres is free.

    1. Re:Free Oracle upgrades available everywhere by mveloso · · Score: 3, Interesting

      Porting from Oracle to Postgres is free too, if you want everything to break.

  4. This is nonsensical fear mongering by Anonymous Coward · · Score: 2, Funny

    I have one of these old browsers, and I'm not being cut off of the we

  5. Slashdot will remain accessible by Ksevio · · Score: 5, Insightful

    Fortunately, slashdot will remain accessible as it still hasn't entered the 2010's and added encryption yet!

  6. Re:Pretty sure... by Locke2005 · · Score: 3, Interesting

    Problem for PCs is not browser availability or cost, problem is that for some people downloading a GByte of data to install a new browser is not feasible. Also, browsers are in everything now, including smartphones, smart TVs, and Nintendo DS, so you're stuck with what the hardware vendor supplies you. (Don't get me started on my Smart TV not showing videos because most hosts support video using Adobe Flash only, and Adobe refuses to license flash to most hardware manufacturers. HTML5 has been a standard for how many years now?)

    --
    I've abandoned my search for truth; now I'm just looking for some useful delusions.
  7. Re:I don't see this as a problem, except for.... by Locke2005 · · Score: 2

    ISIS has their own computer help line. I'd say the terrorists have better IT support than most 'mericans...

    --
    I've abandoned my search for truth; now I'm just looking for some useful delusions.
  8. Re:I don't see this as a problem, except for.... by Githaron · · Score: 2

    What is the point of developing in the browser if you are only going to support one specific version from one specific vendor?

  9. How long has this warming been occurring? by QuietLagoon · · Score: 2
    Why should we downgrade the security of the internet for stragglers who refuse to update their security?

    .
    Maybe a loss of Internet access is just the jolt they need to get off their butt and upgrade.

  10. Re:Good by tepples · · Score: 3, Insightful

    Can't upgrade because reasons? Go cry to whomever is creating that problem for you

    Such crying would fall on deaf ears, as mobile device manufacturers routinely announced end of support not only for handsets that are still under 2-year financing but also for handsets that are still being sold in stores. And when "whomever" amounts to the "poorest, most repressive, and most war-torn countries in the world," as the article mentions, what recourse does one have?

  11. They can't do this reliably by madbrain · · Score: 3, Interesting

    The problem with that is that there is no actual way to detect that an old browser doesn't support SHA-2.
    For example, older versions of Firefox/NSS since 2003 have supported SHA-2 server certificates, but not SHA-2 in TLS cipher suites as the MAC algorithm, which wasn't specified until years later.

    The TLS ClientHello message does not specify which types of hash algorithm the client supports for certificates, only the list of cipher suites that the client supports.

    Thus, Facebook, or anyone else, has no way of determining if a client really doesn't support SHA-2 server certificates.

    What they are probably doing is assuming that clients that don't support SHA-2 MAC in TLS cipher suites . But that's a wrong assumption. Many older clients will be downgraded to SHA-1 server certificates as a result, even though they support SHA-2 certificates. And they will have no way of knowing that this happened.

    --
    -- Julien Pierre http://www.madbrain.com/blog
    1. Re:They can't do this reliably by petermgreen · · Score: 2

      If a browser will trust SHA1 certificates then it doesn't really matter whether the legitimate site sends a SHA1 cert or a SHA2 cert. What matters is that they will accept a SHA1 cert from an attacker and there is nothing the legitimate site can do about that.

      --
      note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
    2. Re:They can't do this reliably by edtice1559 · · Score: 3, Informative

      Rather than guess what they are probably doing, the source code is here. https://github.com/facebook/wa... But you were pretty close. You're right that *some* browsers that *could* get an SHA2 certificate will get the SHA1 version. An improvement would be to present the SHA2 certificate if you're sure that the browser can accept it. Otherwise show the SHA1 certificate. Put a warning page up when presenting the SHA1 certificate suggesting that people upgrade browsers. For those that have older browsers that want the SHA2 certificate but are getting an SHA1, offer an alternative like sha2.facebook.com. I imagine that this is a very small set of users. And as has been mentioned already, certificate pinning is your friend.

  12. It's irrelevant by Alioth · · Score: 2

    It's irrelevant, anyway - PCI-DSS will mandate it at some point for any site that accepts credit cards (if it hasn't already: PCI-DSS already mandates that support for all versions of SSL is dropped, and "early TLS" is dropped - they've not defined "early TLS" but TLS 1.0 is known to be vulnerable to attacks already, and TLS 1.1 is structurally weak, so I bet within a year this will be clarified to mean "both TLS 1.0 and TLS 1.1 must not be enabled" by the webserver. By June 2016 you have to get rid of TLS 1.0 if you accept credit card payments.

    Some quite recent browsers don't support TLS 1.2 by default (I think some fairly recent versions of Internet Explorer need TLS 1.2 switching on manually).

    --
    Oolite: Elite-like game. For Mac, Linux and Windows
    1. Re:It's irrelevant by roman_mir · · Score: 2

      Never mind 2016, one of the payment processors that we are using (FirstData) forced us to turn off TLS1.0 back in June of this year!

      --
      You can't handle the truth.
  13. Re:Pretty sure... by Anonymous Coward · · Score: 2, Informative

    Errr... a GByte of data? Are you missconfussed with the pushed Windows 10 update?

    Firefox was less than 50MB last time I did a full install.

    The real problem in this case may end being that the overbloated browsers drop support for older systems.

  14. Re: Pretty sure... by Anonymous Coward · · Score: 2, Funny

    When you can't access most websites because your browser only supports SHA-1, you may find you have a lot of capacity left on your monthly limit...

  15. Re:facebook...solved...what? by JesseMcDonald · · Score: 2

    If I understand the issue correctly, this isn't something that can be negotiated. The problem is the hash algorithm used by the CA to sign Facebook's public key, not hash used for the content itself (which would be negotiated). Under normal circumstances a site only has one CA-signed certificate which it presents to all clients. The problem is that new browsers won't accept certificates signed by the CA with a SHA-1 hash, while older browsers will reject certificates signed with SHA-2.

    --
    "The state is that great fiction by which everyone tries to live at the expense of everyone else." - Bastiat