SHA1 certificates for secure SSL/TLS communications are deprecated due to known computational vulnerabilities. To ensure secure communications, a forced deprecation sounds reasonable (i.e. refuse to connect to these). That has the side effect that it will lock out many users who are unable to use stronger hashes such as SHA256. However, if a fallback to SHA1 is provided (as Facebook is proposing), everyone will be vulnerable to SHA1 downgrade man-in-the-middle attacks.
What to do?
(Score: 0) by Anonymous Coward on Friday December 11 2015, @05:58PM
target.com just served me a HMAC-SHA1 cert on checkout.
They didn't learn much from their data breach last year.
(Score: 0) by Anonymous Coward on Friday December 11 2015, @06:08PM
Why would they? You don't actually think corporations care about you do you?
(Score: 2) by Nollij on Friday December 11 2015, @09:49PM
Care about us? Of course not.
But I would think they care about themselves, and that breach was expensive. $67 million of expensive [nbcnews.com]
(Score: 0) by Anonymous Coward on Friday December 11 2015, @06:50PM
Does that really matter in practice? You think the hackers will spend time cracking SHA1 to MITM your connection? If the hackers wanted to they would most likely hack Target directly just like they did before. And it would still probably be easier than cracking SHA1. Same probably applies to most sites.
And if the big guys/high end hackers wanted to they'd just get a pwned/friendly CA to sign the certs to MITM you. Your browsers will trust those certs by default[1]- spanking brand new 256 bit SHA hash and all. How many of the "important" sites you frequent use certificate pinning anyway?
[1] Most browsers trust very many CAs by default. More than most people should trust. I've revoked trust on many of the CA certs on Firefox and I definitely don't need most of those CA certs around to use the sites I use. If you're paranoid run a different instance of firefox for your online banking and revoke trust on all the CAs except the ones your bank uses, or use certificate patrol.
If you use Chrome on Windows or IE, there is no way to know of all the certificates that your browser trusts. Please read: http://www.proper.com/root-cert-problem/ [proper.com]
(Score: 2) by edIII on Friday December 11 2015, @08:44PM
In what world is attacking the HVAC system to access internal networks a direct attack? They literally went through the air conditioner to attack Target. SHA1 probably never even applied, but I'm not aware of what exploit they used against it.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 0) by Anonymous Coward on Saturday December 12 2015, @07:02PM
You're basically supporting my point even though you can't see it. Especially with your "SHA1 probably never even applied," too. Interesting you could see that but not realize what it means in the big picture.