Slash Boxes

SoylentNews is people

posted by martyb on Friday December 11 2015, @04:55PM   Printer-friendly
from the failure-to-communicate dept.

SHA1 certificates for secure SSL/TLS communications are deprecated due to known computational vulnerabilities. To ensure secure communications, a forced deprecation sounds reasonable (i.e. refuse to connect to these). That has the side effect that it will lock out many users who are unable to use stronger hashes such as SHA256. However, if a fallback to SHA1 is provided (as Facebook is proposing), everyone will be vulnerable to SHA1 downgrade man-in-the-middle attacks.

What to do?

Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 5, Insightful) by pendorbound on Friday December 11 2015, @05:17PM

    by pendorbound (2688) on Friday December 11 2015, @05:17PM (#275037) Homepage

    Two options:

    1) A small number of users get an obvious error message that says they can't connect securely.
    2) The entire world thinks they're connecting securely while secretly getting downgraded and probably having no idea there's an MitM in place.

    Break the 7%. No question it's better than see an error & know you're insecure than have get no warning that you're insecure.

    Starting Score:    1  point
    Moderation   +3  
       Insightful=3, Total=3
    Extra 'Insightful' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   5  
  • (Score: 3, Interesting) by tempest on Friday December 11 2015, @05:54PM

    by tempest (3050) on Friday December 11 2015, @05:54PM (#275061)

    I find it hard to believe this 7% isn't finding most of the internet dysfunctional already. If you're using windows XP with service pack 2 or lower, you have a lot more issues than this.

    The bigger problem is that you may not get an "obvious" error. I had this kind of issue a few weeks ago when a vendor was complaining they couldn't connect to a website because of "networking problems". Eventually I tracked it back to the version of IE they were using didn't support the required encryption to connect to the site. But the error was "cannot connect" with the usual Microsoft kind of "there could be a million things that are wrong" debugging help.

    • (Score: 0) by Anonymous Coward on Friday December 11 2015, @06:13PM

      by Anonymous Coward on Friday December 11 2015, @06:13PM (#275075)

      I have an Ancient GnuSense Laptop that I have not gotten around to upgrading yet. I get similar mysterious failure. Sometimes websites will work for a while, then suddenly refuse to (looking at you ixquick).

      I strongly suspect lack of support for newer hash algorithms is the problem.

  • (Score: 3, Interesting) by Hyperturtle on Friday December 11 2015, @08:05PM

    by Hyperturtle (2824) on Friday December 11 2015, @08:05PM (#275125)

    Can I still have the option to visit a site in cleartext?

    I promise not to log in if they take away the ability for me to log in and share personal data in clear text.

    It may be I just want to read something and don't want to have to replace old hardware to do it.

    Sort of like how hard it has become to set up a personal file share that various devices can access without having to fight the requirement for a cloud of some kind. Some hardware is designed to never connect locally and always to some remote service with terms of services that may change...

    It'd be nice if there was still an internet out there that was cleartext and low bandwidth and worked on older devices. I'd visit it. I guess there would be less sites due to the ads probably not working on such a model, but I can probably donate to a site following that model. I'd probably set one up how people used to have geocities pages or use their free 2MB of space given by their dialup provider in amazingly low bandwidth ways...

    • (Score: 0) by Anonymous Coward on Friday December 11 2015, @10:10PM

      by Anonymous Coward on Friday December 11 2015, @10:10PM (#275178)

      You may be interested in Gopher. Browser support has been removed over the years, rather than maintained, however.

      I have interest in (but have not tired) CJDNS, but that does not meet your "cleartext" criteria. Gopher should work fine over it though (If you have an IPv6 aware gopher host)

      • (Score: 2) by Hyperturtle on Monday December 14 2015, @12:37AM

        by Hyperturtle (2824) on Monday December 14 2015, @12:37AM (#275922)

        I'll give that a shot. I still like to stumble across telnet BBS's -- some that are in ANSI are a rare treat to behold.