Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 14 submissions in the queue.

Final Warning: Popular Browsers Will Soon Stop Accepting SHA-1 Certificates

posted by CoolHand on Friday November 18 2016, @08:32PM   Printer-friendly
from the CERTainly-time-to-update dept.

MrPlow writes:

Submitted via IRC for TheMightyBuzzard

Starting with Chrome 56, planned to be released to the wider public at the end of January 2017, Google will remove support for SHA-1 certificates.

"The SHA-1 cryptographic hash algorithm first showed signs of weakness over eleven years ago and recent research points to the imminent possibility of attacks that could directly impact the integrity of the Web PKI," Chrome Security team member Andrew Whalley explained.

“Website operators are urged to check for the use of SHA-1 certificates and immediately contact their CA for a SHA-256 [i.e. SHA-2] based replacement if any are found,” he advised.

Certificate Authorities stopped issuing SHA-1 signed SSL/TLS certificates on January 1, 2016, but some of them are still valid.

Source: https://www.helpnetsecurity.com/2016/11/17/browsers-stop-sha-1-certificates/

Original Submission

 
This discussion has been archived. No new comments can be posted.
Final Warning: Popular Browsers Will Soon Stop Accepting SHA-1 Certificates | Log In/Create an Account | Top | 8 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by Username on Friday November 18 2016, @10:13PM

    by Username (4557) on Friday November 18 2016, @10:13PM (#429143)

    They should also set a date to remove support for SHA-2 in a few months, and start issuing SHA-3. So on and so forth.

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2  

  • (Score: 4, Informative) by NCommander on Friday November 18 2016, @10:36PM

    by NCommander (2) Subscriber Badge <michael@casadevall.pro> on Friday November 18 2016, @10:36PM (#429154) Homepage Journal

    Algromiths are only retired when they are broken, or at risk of a collision attack (which is the case of SHA-1). The SHA program is designed to have multiple algros available to provide diversity in the ecosystem, and I won't be surprised that browser support for SHA3 will be coming along soon. With SHA1, there are ways to basically cause a certificate collision, and get an unconstrained CA certificate that would be trusted by all major browsers. Right now, the attack likely requires nation-state resources but as MD5 showed, that bar will get lower and lower as time goes on.

    SHA2 won't be retired until their are known weaknesses and/or breaks that will cause us to start the whole process over again.

    --
    Still always moving

    • (Score: 2) by RamiK on Friday November 18 2016, @11:23PM

      by RamiK (1813) on Friday November 18 2016, @11:23PM (#429176)

      Much of the SHA-2 set is practically within the reach of state actors: https://eprint.iacr.org/2016/374.pdf [iacr.org]

      Regardless, throw out general purpose programming and I'm sure a custom DSP could run circles around those super-computers with their over-sized caches and deep predictive trees causing all manner of latencies.

      --
      compiling...

  • (Score: 2) by RamiK on Friday November 18 2016, @10:46PM

    by RamiK (1813) on Friday November 18 2016, @10:46PM (#429159)

    SHA-2 includes SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256.

    SHA-224 isn't in TLS 1.3 since it's been shown to have issues. If SHA-256 shows any weaknesses they'll remove it too when the time comes.

    --
    compiling...