Stories
Slash Boxes
Comments

SoylentNews is people

Many American Military Sites and Intermediate Certificates Secured with Dud SHA-1 Cipher

posted by martyb on Saturday October 31 2015, @01:54AM   Printer-friendly
from the ooops! dept.
Security

Phoenix666 writes:

America, your military fails at security. That's the message from Netcraft security expert Paul Mutton, who has found a bunch of Department of Defence (DoD) agencies issuing SHA-1 certificates.

SHA-1 is almost as old as the art of war: created in 1995, it was secure then, but now, you only need US$75,000 to buy enough cloud CPU to can[sic] crack an SHA-1 signature.

Netcraft is waging war on the stubborn protocol, and earlier this month warned that there's still a quarter of a million SHA-1 certs with expiry dates of 2017 or later.

The use of those certs in dot-mil domains, however, singles it out for special criticism, since the National Institute of Standards and Technology (NIST) has long told US government agencies that SHA-1 is no longer acceptable.

Perhaps the NSA could help the military secure its systems.

[The story in The Register seems to be based on this Netcraft blog post which contains considerably more details about these security shortcomings. -Ed.]

Original Submission

This discussion has been archived. No new comments can be posted.
Many American Military Sites and Intermediate Certificates Secured with Dud SHA-1 Cipher | Log In/Create an Account | Top | 6 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 0) by Anonymous Coward on Saturday October 31 2015, @02:31AM

    by Anonymous Coward on Saturday October 31 2015, @02:31AM (#256769)

    here

    • (Score: 0) by Anonymous Coward on Saturday October 31 2015, @04:08PM

      by Anonymous Coward on Saturday October 31 2015, @04:08PM (#256912)

      Your story is about as helpful as ROT13 is for encryption.

    • (Score: 0) by Anonymous Coward on Saturday October 31 2015, @11:17PM

      by Anonymous Coward on Saturday October 31 2015, @11:17PM (#257027)

      Hmm, I am not sure what happened to my link. There were at least two earlier stories.

      one story [soylentnews.org]

      another story [soylentnews.org]

  • (Score: 2) by Valkor on Saturday October 31 2015, @03:16AM

    by Valkor (4253) on Saturday October 31 2015, @03:16AM (#256779)

    "SHA-1 is almost as old as the art of war: created in 1995" Hmmm yes quite old.

    • (Score: 2, Informative) by Francis on Saturday October 31 2015, @03:20AM

      by Francis (5544) on Saturday October 31 2015, @03:20AM (#256782)

      I'm trying to figure out what they're referring to as that books is ancient.

  • (Score: 5, Informative) by Anonymous Coward on Saturday October 31 2015, @04:48AM

    by Anonymous Coward on Saturday October 31 2015, @04:48AM (#256796)

    The summary is incorrect. You can't crack an SHA-1 signature, not even with all the computing power in the world. The authors found another type of collision attack against SHA-1. There are still no preimage attacks against SHA-1. In other words, it is possible to make two pieces of data that have the same SHA-1 hash, but it is not possible to take some existing data (such as a signed certificate) and make a different piece of data with the same SHA-1.