America, your military fails at security. That's the message from Netcraft security expert Paul Mutton, who has found a bunch of Department of Defence (DoD) agencies issuing SHA-1 certificates.
SHA-1 is almost as old as the art of war: created in 1995, it was secure then, but now, you only need US$75,000 to buy enough cloud CPU to can[sic] crack an SHA-1 signature.
Netcraft is waging war on the stubborn protocol, and earlier this month warned that there's still a quarter of a million SHA-1 certs with expiry dates of 2017 or later.
The use of those certs in dot-mil domains, however, singles it out for special criticism, since the National Institute of Standards and Technology (NIST) has long told US government agencies that SHA-1 is no longer acceptable.
Perhaps the NSA could help the military secure its systems.
[The story in The Register seems to be based on this Netcraft blog post which contains considerably more details about these security shortcomings. -Ed.]
(Score: 5, Informative) by Anonymous Coward on Saturday October 31 2015, @04:48AM
The summary is incorrect. You can't crack an SHA-1 signature, not even with all the computing power in the world. The authors found another type of collision attack against SHA-1. There are still no preimage attacks against SHA-1. In other words, it is possible to make two pieces of data that have the same SHA-1 hash, but it is not possible to take some existing data (such as a signed certificate) and make a different piece of data with the same SHA-1.