Slashdot Mirror
The SHA-1 End Times Have Arrived (threatpost.com)
"Deadlines imposed by browser makers deprecating support for the weakened SHA-1 hashing algorithm have arrived," writes Slashdot reader msm1267. "And while many websites and organizations have progressed in their migrations toward SHA-2 and other safer hashing algorithms, pain points and potential headaches still remain."
Threatpost reports:
Starting on Jan. 24, Mozilla's Firefox browser will be the first major browser to display a warning to its users who run into a site that doesn't support TLS certificates signed by the SHA-2 hashing algorithm... "SHA-1 deprecation in the context of the browser has been an unmitigated success. But it's just the tip of the SHA-2 migration iceberg. Most people are not seeing the whole problem," said Kevin Bocek, VP of security strategy and threat intelligence for Venafi. "SHA-1 isn't just a problem to solve by February, there are thousands more private certificates that will also need migrating"...
Experts warn the move to SHA-2 comes with a wide range of side effects; from unsupported applications, new hardware headaches tied to misconfigured equipment and cases of crippled credit card processing gear unable to communicate with backend servers. They say the entire process has been confusing and unwieldy to businesses dependent on a growing number of digital certificates used for not only their websites, but data centers, cloud services, and mobile apps... According to Venafi's research team, 35 percent of the IPv4 websites it analyzed in November are still using insecure SHA-1 certificates. However, when researchers scanned Alexa's top 1 million most popular websites for SHA-2 compliance it found only 536 sites were not compliant. The article describes how major tech companies are handling the move to SHA-2 compliance -- including Apple, Google, Microsoft, Facebook, Salesforce and Cloudflare
Experts warn the move to SHA-2 comes with a wide range of side effects; from unsupported applications, new hardware headaches tied to misconfigured equipment and cases of crippled credit card processing gear unable to communicate with backend servers. They say the entire process has been confusing and unwieldy to businesses dependent on a growing number of digital certificates used for not only their websites, but data centers, cloud services, and mobile apps... According to Venafi's research team, 35 percent of the IPv4 websites it analyzed in November are still using insecure SHA-1 certificates. However, when researchers scanned Alexa's top 1 million most popular websites for SHA-2 compliance it found only 536 sites were not compliant. The article describes how major tech companies are handling the move to SHA-2 compliance -- including Apple, Google, Microsoft, Facebook, Salesforce and Cloudflare
Us geeks and IT professionals who visit this website do not need convincing. Who here loves outdated insecure crappy software? Ok there are some who use XP still who do not like change but are in the minority.
THe problem is no value in IT in business infrastructure or processes. We all experienced it some time in our career. We are outsourced, not invited to meetings that we would be in dealing with IT, dictated too, forced to learn Cobol, Java, IE 6 stuff, and to keep unpatched systems secure somehow.
Sha-1 is not going anywhere where I work. IE 6 is too ingrained and our customers use it. So we use insecure IE 6 + insecure Server 2003 to process our HIPA and credit card data where we are fired if a security breach takes place. Sha-1 is required for the glue to hold most of our customer systems in place.
We are never invited to the meetings for these requirements. We are a cost. We are told I promised the client it will be done in 48 HOURS!! My company is the smae as the last one where we outsource everything for the cheapest bidder too for the work. At least the employer presently does not go to that extreme when they promise a client a months worth of work must be done in 72 hours.
Anyway our MBA's do not know what a Sha-1 is?? They do not care as IT is plumbing. As long as no water is leaked never replace the pipes. THe problem is if we dictate to the customer NO USE SHA-2 and update your mission criticial $1.5 million dollar app they will give us the finger and go to a competitor.
Until IT is respected like it was back in the 1990's as part of the business process team to help the organization perform it's functions SHa-1 will be like Java/Cobol and never be updated no matter how many geeks whine.
If java 8 stops sha1 or MD5 signing then we will use an insecure version. HR will fire me if I break their apps so what choice do I have?
http://saveie6.com/