SHA-1 cutoff could block millions of users from encrypted websites

Discussion in 'privacy technology' started by ronjor, Dec 10, 2015.

  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,755
    Location:
    Texas
  2. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,594
    What is not stressed in that article is that those two companies are NOT doing folks a favor, but just the reverse. We know that sha1 is weak and broken. Thus using it and especially patching methods to "jury rig" a user's ability to depend on it is crazy. Its time to move on and provide secure means to surf the web. The internet community has clearly determined its not safe so why countermand that fact and "patch" a way that may well hurt someone?
     
  3. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,755
    Location:
    Texas
  4. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,594
    Still a really bad idea to use it. Would a website be so cheap not to generate a modern certificate? I know the answer for some is yes but I bet its really because they are being lazy (who cares) and not cheap. Examples in the USA would point to yet again how corporations bear NO responsibility for allowing their members to get hacked.

    Also its tough to be sympathetic to those folks that want to run so "open" to known flaws. I see their hardware is many years behind what everyone around me is using. Are they still doing WEP on their routers too?
     
  5. driekus

    driekus Registered Member

    Joined:
    Nov 30, 2014
    Posts:
    489
  6. subhrobhandari

    subhrobhandari Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    708
    Even the largest bank of Asia, State Bank of India is still using SHA1. I doubt most of the sites would care unless Mozilla, Microsoft and Google took initiative to block these certificates.
     
  7. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,594
    Unless of course their members being hacked meant that the BANK pays for all the losses and time lost. Around here, there is NO corporate responsibility being imposed on organizations that don't protect users.
     
  8. driekus

    driekus Registered Member

    Joined:
    Nov 30, 2014
    Posts:
    489
    My other concern here is that we end up with a blended solution where your browser decides whether to use SHA1 or SHA2 based on capabilities. It really would open the path to downgrade attacks.

    My only concern is the impact on people from poorer countries who may have difficulties because there device does not support SHA2. In reality I dont know how big an issue this is. Unfortunately, I think it is time to move on regardless of the impact.
     
  9. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,150
    Location:
    UK
    Worse than "no responsibility" - since CISA, it's immunity. Which more or less mandates indiscriminate "sharing" to ensure the CYA part.
     
  10. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,066
    Firefox ban on SHA-1 certs causing some security issues, Mozilla warns
    http://arstechnica.com/security/201...s-causing-some-security-issues-mozilla-warns/
     
  11. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,594
Loading...