The SHA-1 End Times Have Arrived

"Deadlines imposed by browser makers deprecating support for the weakened SHA-1 hashing algorithm have arrived," writes Slashdot reader msm1267. "And while many websites and organizations have progressed in their migrations toward SHA-2 and other safer hashing algorithms, pain points and potential headaches still remain." Threatpost reports: Starting on Jan. 24, Mozilla's Firefox browser will be the first major browser to display a warning to its users who run into a site that doesn't support TLS certificates signed by the SHA-2 hashing algorithm... "SHA-1 deprecation in the context of the browser has been an unmitigated success. But it's just the tip of the SHA-2 migration iceberg. Most people are not seeing the whole problem," said Kevin Bocek, VP of security strategy and threat intelligence for Venafi. "SHA-1 isn't just a problem to solve by February, there are thousands more private certificates that will also need migrating"...

Experts warn the move to SHA-2 comes with a wide range of side effects; from unsupported applications, new hardware headaches tied to misconfigured equipment and cases of crippled credit card processing gear unable to communicate with backend servers. They say the entire process has been confusing and unwieldy to businesses dependent on a growing number of digital certificates used for not only their websites, but data centers, cloud services, and mobile apps... According to Venafi's research team, 35 percent of the IPv4 websites it analyzed in November are still using insecure SHA-1 certificates. However, when researchers scanned Alexa's top 1 million most popular websites for SHA-2 compliance it found only 536 sites were not compliant. The article describes how major tech companies are handling the move to SHA-2 compliance -- including Apple, Google, Microsoft, Facebook, Salesforce and Cloudflare

Congratulations

[NotInHere]

You've got to move, but you can't move when you are a small browser vendor, or a hardware vendor. Its the big browser vendors who have enough leverage to convince people to switch to SHA-2.

Re:

[Gravis Zero]

$ echo "The world's smallest violin playing just for you." | shasum
1fbba1dd67c59513b4b6040b4036d6dd47e3858e -

Re:

[ls671]

Here the real checksum for the string:

$ echo -n "The world's smallest violin playing just for you." | shasum
1ec19fdbc2ad777c7a441264bf2db365290c4d15 -

Re:

[KiloByte]

Firefox isn't a "small browser", it's the only browser for most architectures. Chromium is Windows (not XP!)/Mac/Linux-glibc only, exclusively for amd64/i386 -- ARM is only for Android.

Also, Chromium is spyware that phones home even in "Incognito mode", going over any extensions (so uBlock+uMatrix are of no help). It contacts www.google-analytics.com so it's not just an update check or something benign.

So even on amd64, Firefox is the only real option.

Re:

[NotInHere]

Firefox isn't a "small browser", it's the only browser for most architectures.

I've meant my statement differently. Firefox does count as major browser for me (there are five currently, Safari, Internet explorer, Edge, Chrome, Firefox). Just for example if Opera did this, no website operator would care.

Re:

[jopsen]

Nobody is forceing hardware vendors to move... Websites can still offer sha1, but many probably won't due to the security implicationsing

Symptom of a larger problem

[Billly Gates]

Us geeks and IT professionals who visit this website do not need convincing. Who here loves outdated insecure crappy software? Ok there are some who use XP still who do not like change but are in the minority.

THe problem is no value in IT in business infrastructure or processes. We all experienced it some time in our career. We are outsourced, not invited to meetings that we would be in dealing with IT, dictated too, forced to learn Cobol, Java, IE 6 stuff, and to keep unpatched systems secure somehow.

Sha-1 is not going anywhere where I work. IE 6 is too ingrained and our customers use it. So we use insecure IE 6 + insecure Server 2003 to process our HIPA and credit card data where we are fired if a security breach takes place. Sha-1 is required for the glue to hold most of our customer systems in place.

We are never invited to the meetings for these requirements. We are a cost. We are told I promised the client it will be done in 48 HOURS!! My company is the smae as the last one where we outsource everything for the cheapest bidder too for the work. At least the employer presently does not go to that extreme when they promise a client a months worth of work must be done in 72 hours.

Anyway our MBA's do not know what a Sha-1 is?? They do not care as IT is plumbing. As long as no water is leaked never replace the pipes. THe problem is if we dictate to the customer NO USE SHA-2 and update your mission criticial $1.5 million dollar app they will give us the finger and go to a competitor.

Until IT is respected like it was back in the 1990's as part of the business process team to help the organization perform it's functions SHa-1 will be like Java/Cobol and never be updated no matter how many geeks whine.

If java 8 stops sha1 or MD5 signing then we will use an insecure version. HR will fire me if I break their apps so what choice do I have?

Re:

[Anonymous Coward]

Go work for a less crappy company.

Re:

[Gravis Zero]

THe problem is no value in IT in business infrastructure or processes

Actually, the problem is that there are no direct penalties for criminal negligence within a corporation.

HR will fire me if I break their apps so what choice do I have?

Go work for a company with more respect for IT. If you can't find one, found one!

Re:Symptom of a larger problem

[Pentium100]

As long as no water is leaked never replace the pipes.

Tell them that SHA-1 is the same as a lead pipe and IE6 is the same as a radium pipe. They may not leak, but it also may not be very healthy to drink the water that has been trough them.

However, some of the requirements are not reasonable. I agree that IE6 is really bad, but in some cases it may be running on a device that costs a lot to replace.

Is SHA-1 weak? Yes. But in some cases it may still be good enough. AFAIK, SHA-1 is weak against collision attacks (creating two messages with the same hash), but strong enough against regular attacks (create a message that produces a specified hash). So, if I use SHA-1 for authenticating VPN packets (quite a few devices do not support sha2), it should be good enough, since the attacker would need to change the encrypted packet such that it 1) matches the MAC and 2) is decrypted into something useful for the attacker.

Hey, even cracking a salted MD5 hash (to get the password) is still quite difficult.

This is different to the attack of me producing two contracts with different text and the same hash and then having you sign one of them, but later claiming that you signed the other.

Security and convenience (and cost) are opposite of each other. Because of this, you have to find a reasonable level of security.

Re:

[thegarbz]

Tell them that SHA-1 is the same as a lead pipe and IE6 is the same as a radium pipe.

Not going to work. Lead pipes are what made those MBA the men they are today.

Re:

[Cramer]

This is exactly the "sky is falling" bullshit around hashes. ALL HASHES HAVE COLLISIONS. (eg. one cannot uniquely represent more than 128bits with a 128bit value.) I have yet to see anyone offer proof of CREATING a collision, much less a method to modify a message without altering the hash -- at all, a meaningful modification is so remote as to be "impossible".

(I've only seen one "lab" example for MD5, where a file contains two documents and a block of padding such that altering a pointer controls which doc

Re:

[Anonymous Coward]

so what choice do I have?

1) You are treating MBA / HR / management / (insert another layer here) as an ignorant part of your work chain. You need to make them your allies and partner with them. Easier said than done I realize - however - it also indicates that you do not speak their language. Hint - build up a business case describing the outcome in terms of risk. Put together a high-level cost-benefit analysis of doing nothing vs. doing it right - this isn't as hard as it sounds believe it or not. HIPAA data costs ~$200 per

Re: Okay

[Anonymous Coward]

The other browsers are just as bad. I have found Chromium to be even worse about sucking up RAM like crazy. It's not uncommon for the browser to be using 50-75% of my 32GB of RAM. They all suck!

Re:

[F.Ultra]

Because SHA-3 was not meant to be a replacement for SHA-2. The reason for SHA-3 was to implement a hash that have a completely different design than that of SHA-1 and SHA-2 so that if we ever would see a problem with SHA-2 then it could be replaced by SHA-3 immediately. So SHA-3 is a backup.

Re:Why not move to SHA-3, if we're moving anyway?

[ls671]

Nobody should ever need more than SHA-640 anyway.

Re:

[F.Ultra]

While SHA-3 might be faster than SHA-2, something that is imho unknown, it was not one of the criteria when the competition for SHA-3 began. http://csrc.nist.gov/groups/ST... [nist.gov]

Re:

[F.Ultra]

Looks like it's faster in hardware currently which makes sense for credit-cards and other low power systems. Judging from the benchmarks done it looks like Skein was the fastest however (but this of course benched with software and not hardware). https://bench.cr.yp.to/results... [cr.yp.to]

I must have accidentally done something right

[caseih]

Just checked some of my certificates that I use on my own server and domain. They are all signed by my own personal CA. Looks like they are signed with SHA-512, which is part of the SHA-2 family. Been that way for 5 years, maybe 10 now. Guess I accidentally did something right when I created those certs years ago.

Re:

[ls671]

I just checked my 18 year old self-signed certificate, maybe time to upgrade:
Signature algorithm:
PKCS #1 MD5 With RSA Encryption

Re:

[thegarbz]

There's a lot of good guides to proper end to end security, and plenty of systems that will check it for you.
https://www.ssllabs.com/ [ssllabs.com]

You won't get an A+ rating using your own personal CA, but it can expose a whole lot of other problems beyond simply the choice of certificate, and quite frankly if you follow any idiots guide to OpenSSL on the internet these days you'll generate a pretty secure certificate.

Testing old Windows

[sl149q]

It becomes an interesting problem if you need to install an old XP, Vista or Windows 7 from the original ISO's (e.g. to diagnose a customer problem.) If you do need to update them or do anything from them you are out of luck because they don't know about anything other than SHA-1. You have to bring everything in via http or USB key.

Re:

[F.Ultra]

Or use Firefox on them since Firefox uses it's own crypto library and not the Windows supplied one. Still leaves you with the problem of Windows Updates but all packages are signed there, don't know how they sign them though if they use SHA1 there as well or if they do something else.

Re:

[jopsen]

Nothing is preventing websites from offering both sha1 and sha2.

Re:

[ruir]

Well, I migrated all of our sites to SHA2 two years ago...This topic is not new.

Re:

[TheRealMindChild]

SHA is a hashing algorithm, not encryption algorithm. SHA in this instance probably refers to the PKCS#5 password-based key derivation function

Yeah, bit me good

[rickb928]

Our legacy software we hoped would support SHA-256, which one of our processing platforms moved to 2 weeks ago. Nope, despite lukewarm assurances, it did not. Frantic migrations. Many upset users.

Over a 12+ year old app that has survived conversion from dialup to HTTPS to FTPS, moved through several processor changes, and finally the death begins. I expect other platforms to migrate off SHA-1/SHA-2 and kill this old beast dead.

A little more warning would be nice, but heh, we still would have had to leave i