Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Encryption Chrome Firefox Google Internet Explorer Opera Safari Security The Internet

Why Google Is Pushing For a Web Free of SHA-1 108

An anonymous reader writes: Google recently announced Chrome will be gradually phasing out support for certificates using SHA-1 encryption. They said, "We need to ensure that by the time an attack against SHA-1 is demonstrated publicly, the web has already moved away from it." Developer Eric Mill has written up a post explaining why SHA-1 is dangerously weak, and why moving browsers away from acceptance of SHA-1 is a lengthy, but important process. Both Microsoft and Mozilla have deprecation plans in place, but Google's taking the additional step of showing the user that it's not secure. "This is a gutsy move by Google, and represents substantial risk. One major reason why it's been so hard for browsers to move away from signature algorithms is that when browsers tell a user an important site is broken, the user believes the browser is broken and switches browsers. Google seems to be betting that Chrome is trusted enough for its security and liked enough by its users that they can withstand the first mover disadvantage. Opera has also backed Google's plan. The Safari team is watching developments and hasn't announced anything."
This discussion has been archived. No new comments can be posted.

Why Google Is Pushing For a Web Free of SHA-1

Comments Filter:
  • SHA-1 (Score:5, Funny)

    by turkeydance ( 1266624 ) on Monday September 08, 2014 @06:42PM (#47857709)
    has hit the fan
  • by Anonymous Coward on Monday September 08, 2014 @06:48PM (#47857759)

    It should start at the certificate authorities. They should've been planning for sha-1 to be unsupported by x date, and not issuing certificates valid past that date.

    • by WaffleMonster ( 969671 ) on Monday September 08, 2014 @08:13PM (#47858301)

      It should start at the certificate authorities. They should've been planning for sha-1 to be unsupported by x date, and not issuing certificates valid past that date.

      Certificate authorities roots also use SHA1 and typically carry validity periods of decades.

      • by Anonymous Coward

        Root cert sigs are meaningless, they're self-signatures. They could be zeroed out and most trustdbs probably wouldn't care.

        • Root cert sigs are meaningless, they're self-signatures. They could be zeroed out and most trustdbs probably wouldn't care.

          Yes this is true but it doesn't matter.

          Cross signing / alternate certification paths can lead to one mans root becoming another's intermediary.

          Intermediaries have the same problem with 10+ year validity periods.

    • by nleven ( 1848188 ) on Monday September 08, 2014 @10:40PM (#47858989)
      My understanding is CAs have limited interest in this matter. The product they are selling to website owners is really that green lock in the address bar. As long as that green lock icon is there, SHA1 or SHA256 won't make any difference. In this sense, deprecation should actually start at the browser.
      • They do have a large interest in the matter. If SHA-1 is broken and they keep selling it they lower the belief in the system. Thus it would lower the monetary value of ALL certificates.

        • by Lisias ( 447563 )

          They do have a large interest in the matter. If SHA-1 is broken and they keep selling it they lower the belief in the system. Thus it would lower the monetary value of ALL certificates.

          How to lower the belief in something that no one's knows it there? :-)

          Common people don't know about cryptography and security. All that common people knows is about WHO tells that something is secure or not - if they trust the guy that says that something is secure, then they acts as it is secure.

          Google is betting that people thrust Chrome.

        • by jbo5112 ( 154963 )

          It didn't stop VeriSign from selling lower priced MD5 certificates when the algorithm had known vulnerabilities. They finally stopped when somebody publicly announced the ability to forge a verifiable certificate for any website in 1-2 days using a cluster of 200 PS3's.

    • by Nick Lowe ( 3421741 ) on Tuesday September 09, 2014 @01:05AM (#47859539)
      This clearly does not work though... Quoting Google's Adam Langley: "Unfortunately, many CAs decided to ignore it, presumably on the assumption that Microsoft would be forced to back down. We've done this dance with MD5 and 1024-bit certificates and we know how it goes. Here's a quick list of CAs that issued more than 2000 certificates extending into 2017 with SHA-1: GlobalSign nv-sa: 75,312 GoDaddy: 41,606 GeoTrust: 40,429 Comodo: 37,789 Verisign: 34,927 Terena: 9,444 Thawte: 8,735 Internet2: 8,637 Network Solutions: 8,077 Entrust: 5,542 AlphaSSL: 3,458 We would all have liked CAs to have acted either when the Baseline was updated (2011) or when Microsoft laid down dates (Nov 2013) or when Chrome talked about doing this at the CA/B Forum meeting earlier this year. It is unfortunate that that 2016/2017 dates are being ignored. If you run a site and want to be insulated from this sort you might want to consider getting one year certificates. CAs like to sell multiple years of course but doing renewal once every three (or more) years means that you have a significant risk of loosing the institutional knowledge of how to do it. (E.g. the renewal remainder email goes to someone who left last year and you then have a panic when it expires). Additionally, very long lived certificates are not insulated from from these sorts of changes and you may need to replace them during their lifetime anyway." https://news.ycombinator.com/i... [ycombinator.com]
      • If you set it up such that mails from, say, VeriSign are sent directly to <bobfromaccounting@example.com>, then you're DOING IT WRONG and you deserve what you get if a mail accidentally gets dropped because Bob got fired last year.

        One obvious solution is to run your own mail server and create <certificates@example.com>, a forward to <bobfromaccounting@example.com> and finally a bit of logic such that a big scary warning is sent to the administrator account for the mail server if the forw

    • No, it should start, and stop, at the user's local cert store.
      I don't actually trust any of the root CAs, and would much rather the world ran on self-signed certs.
      I'd love to walk into my bank and say "Hey fuckers, I need to add your cert. He's my cert so you can do that same. I can clearly see that you are in fact, my bank, and you can see that I am, in fact, your customer, so let's share our certs so we can communicate over public lines securely.".
      But no, that requires effort. So fuck it, we'll use unt

      • by mcvos ( 645701 )

        My bank is not a place I can easily walk into. I'd need to figure out where their office is, make an appointment, travel there, etc. And they'd have to do that with every single customer.

        On the other hand, when I originally got my account there, I sent them a bunch of paperwork, and they sent me all sorts of sensitive stuff in return. Through snailmail. So I guess adding their cert (on a USB stick?) to that wouldn't compromise anything.

        • Print your cert with a QR code on a single sheet of correspondance. Its not hard, and it would be easy to disseminate.

      • by westyx ( 95706 )

        How do you deal with entities that aren't physically located where you live?

        There's no amazon place of business in australia, but I buy stuff from them all the time. I'm pretty sure that ebay australia doesn't have a local presence in my home city, and there's definitely no valve place of business here. How do I exchange certs physically with these entities without flying to sydney or to america?

        • How do you deal with entities that aren't physically located where you live?

          There's no amazon place of business in australia, but I buy stuff from them all the time. I'm pretty sure that ebay australia doesn't have a local presence in my home city, and there's definitely no valve place of business here. How do I exchange certs physically with these entities without flying to sydney or to america?

          Site posts thumbrint of cert on site.com/security .
          I can call the customer service phone number and ask a human to tell me the thumbprint so I can verify.
          A QR code can be posted on my monthly bill.
          I can ask someone else who I trust and who deals with that entity to tell me the thumbprint.
          Or I can take the risk and trust the cert.

          It's about giving the USER control over who they trust, making trust an explicit action with a default of NOT trusting shit, and getting rid of the possibility for CAs/governments t

      • by Kjella ( 173770 )

        I'd love to walk into my bank

        Good for you. Mine is all e-bank and I tend to like it that way. Same with most the e-tailers I shop at, the intersection with physical retailers is slim. How do you visit Gmail or Facebook? Speaking of which, people often have a different third party between them and whoever they're communicating with. You could always pretend it's not signed you know, what would you do? Send an email, asking them if that's their real certificate? Try to verify it through your "web of trust", which includes a bunch of dimw

        • Call your bank, talk to a person, compare the cert thumbprint with what the employee tells you.
          Or check against the one included on your monthly bill, possibly via a QR code.
          Or check against any other trustworthy source.

          You being lazy isn't an excuse, be it physically going somewhere or spending 5 minutes to look shit up.

  • by JustNiz ( 692889 ) on Monday September 08, 2014 @06:52PM (#47857795)

    My website will be fine since it uses ROT-13.

  • by Anonymous Coward on Monday September 08, 2014 @06:53PM (#47857809)

    First movers nothing. Firefox 32 just released, and it deprecated a bunch of certs without any real warning at all, causing some users to get mad (http://blog.mozilla.org/security/2014/09/08/phasing-out-certificates-with-1024-bit-rsa-keys/). Google waited for Mozilla to take the risk while planning to safely tell the user that the site is running outdated SHA-1 certs. Stop trying to paint them as heroes, they're just one of the players, and not even at the forefront of the effort.

    • by Elbart ( 1233584 )
      "without any real warning at all"
      Wrong. That time you added an exception back in 2013 was the warning. Now deal with it.
    • by obarel ( 670863 ) on Tuesday September 09, 2014 @01:39PM (#47864399)

      There's no point in acting all surprised about it. All the planning charts and demolition orders have been on display at your local planning department in Alpha Centauri for fifty of your Earth years so you've had plenty of time to lodge any formal complaints and its far too late to start making a fuss about it now.

  • Do your job too well, and people start questioning if it's needed in the first place.
    • by jd ( 1658 )

      That's why you should never hire people, just small furry creatures from Alpha Centauri.

  • by Anonymous Coward

    The summary writers really need to stop adding terminology willy-nilly. SHA1 is a hashing function, not an encryption.

    • by stoploss ( 2842505 ) on Monday September 08, 2014 @07:13PM (#47857921)

      The summary writers really need to stop adding terminology willy-nilly. SHA1 is a hashing function, not an encryption.

      Yes, SHA-1 is a hashing algorithm, and anyone even remotely confused about the distinction should avert their eyes and NOT click on this link [slashdot.org] to an elucidating comment from a few years ago that indicated something... rather surprising... about the nature of hashing and encryption.

      Strange, eh?

      • by Mr Z ( 6791 )

        You still need a way to mix a key into the result if you want a symmetric cipher.

        In any case, certificate validation doesn't use SHA-1 as a cipher.

    • Its a cryptographic hash function that uses encryption algorithms to generate (what used to be) secure hashes.

      There are some pretty terrible hash functions that are not crypto (like parity bits) but SHA is crypto.

  • SHA-3 (Score:5, Insightful)

    by Anonymous Coward on Monday September 08, 2014 @07:17PM (#47857941)

    Wouldn't now be the time to push toward a transition to SHA-3, rather than SHA-2? I realize SHA-2 implementations are much more common. But 1) SHA-2 was handed down from the NSA and 2) is in the same family as MD5 and SHA-1.

    Considering 1) the recent NSA scandals, 2) that SHA-3 was independently developed and won a public competition, and 2) that SHA-3 uses a newer family of one-hash algorithms which is provably more secure than SHA-2, it would seem prudent to use momentum to move to SHA-3 sooner rather than later.

    • by skids ( 119237 )

      Well, if x509 has simply allowed for multiple signatures, we could just put both SHA2 and SHA3 signatures on the certs, and consumers of the certs could move towards supporting SHA3 as their security requirements dictate, ignoring the SHA2 signatures when they have a SHA3 signature available to them.

      But as with everything PKI related, the people making the calls have some blind spots when it comes to making things forward compatible or even particularly maintainable. It's as if they've never had to a day

  • by viperidaenz ( 2515578 ) on Monday September 08, 2014 @07:20PM (#47857965)

    Issuer: CN = VeriSign Class 3 Public Primary Certification Authority - G5, OU = (c) 2006 VeriSign, Inc. - For authorized use only, OU = VeriSign Trust Network, O = VeriSign, Inc., C = US
    Subject: CN = Symantec Class 3 EV SSL CA - G2, OU = Symantec Trust Network, O = Symantec Corporation, C = US
    Valid from: Thursday, 31 October 2013 12:00:00 p.m.
    Valid to: Tuesday, 31 October 2023 11:59:59 a.m.
    Signature algorithm: sha1RSA
    Signature hash algorithm: sha1
    Thumbprint algorithm: sha1
    Thumbprint: e4 99 59 a4 b3 36 ac bd 2d ac 75 9b b5 21 b9 46 03 3e 82 3a

    They're still issuing certificates. It appears they use sha1?

  • Uhh yeah (Score:4, Informative)

    by Lirodon ( 2847623 ) on Monday September 08, 2014 @07:36PM (#47858081)
    Implying only Google is doing this. Microsoft is doing it too, and a Firefox bug has made a similar proposal shortly after said announcement. https://bugzilla.mozilla.org/s... [mozilla.org]
    • by jd ( 1658 )

      Microsoft will probably implement SHA0. There's no value in SHA2 (and variants) now that SHA3 has been ratified, since SHA2 is just SHA1 with some lengthening. If SHA1 is brutally compromised, SHA2 will fall shortly after. Best to switch to NESSIE (Whirlpool) and SHA3 (something that sounds vulgar).

      Having said that, SHA3 involved dubious mid-contest rule changes and spurrious rejection criteria that might well have been NSA-inspired. I'd take a very close look at the Hashing Lounge for any second or third r

      • The problem with hunting down the best hash algorithm is that both your certificate authority and the user's browser have to support it. SHA-3 has at least the benefit of standardization, which puts it far ahead of a third round reject.

        • by jd ( 1658 )

          Agreed, which is why it should be there.

          Nonetheless, there needs to be a backup plan in case it does turn out that the NSA or GCHQ have a backdoor to it. If it's been deliberately compromised (and I'm not keen on changes made AFTER it had been approved as SHA3 for that very reason), then the more paranoid amongst us need to have a backup plan. I certainly wouldn't suggest HTTPS over TOR use algorithms that are considered three-letter-agency-unsafe for any part of the security protocol, for example, since th

  • by WaffleMonster ( 969671 ) on Monday September 08, 2014 @07:52PM (#47858149)

    Amazing www.google.com and every single link in its trust chain is using SHA-1 signature algorithm.

    • Re: (Score:3, Informative)

      by return 42 ( 459012 )

      True. As mentioned in the article and a linked tweet, Google plans to migrate to SHA-256 by the end of 2015. Why it will take them so long is not stated.

      In the meantime, their certificates only last three months. Probably only NSA and GCHQ could forge a cert in that short a time — and they don't need to. (Though I'm sure they would prefer a nice quiet forgery to issuing an order that someone might blow the whistle about.)

      • True. As mentioned in the article and a linked tweet, Google plans to migrate to SHA-256 by the end of 2015. Why it will take them so long is not stated.

        I only read Google's announcement and did not follow every link from others before posting.

        Hearing this only makes things worse... If Google themselves is not getting their act together until 2016 and concurrently the following is true:

        "Chrome 39 (Branch point 26 September 2014)
        Sites with end-entity (âoeleafâ) certificates that expire on or after 1 January 2017, and which include a SHA-1-based signature as part of the certificate chain, will be treated as âoesecure, but with minor errorsâ.

        It is hard to imagine a situation whereby you can avoid everything appearing broken in much the same way everything is known to the state of California to cause cancer.

        In the meantime, their certificates only last three months. Probably only NSA and GCHQ could forge a cert in that short a time â" and they don't need to.

        What is the point of this?I don't understand the logic here.. how/who does this help?

        Google's cert would be

  • by Anonymous Coward

    Why is the only form of encrypted password you accept via your Google Apps Directory Synchronization GADS tool SHA1? Not even salted. Just flat out SHA1. Let us sync salted strongly hashed passwords, and then we'll take your concern for security seriously.

  • by Anonymous Coward

    A migration from SHA1 for US federal agencies was mandated at the end of 2013.

  • When you add decision points about issues the average user has no practical basis for making an informed determination you just make matters worse by adding confusion and uncertainty able to be leveraged by adversaries.

    Now instead of secure and not secure.. ideally working and not working... we are hurling FUD and technobabble at users whose day job is NOT technology.

    Who am I trying to kid.. .f@#uck...it...ya'll just need more reassuring padlock .gifs to adorn your secure sites.

  • by citizenr ( 871508 ) on Monday September 08, 2014 @11:08PM (#47859127) Homepage

    Google still REQUIRES RC4 for Youtube.

    https://news.ycombinator.com/i... [ycombinator.com]

  • Google recently announced Chrome will be gradually phasing out support for certificates using SHA-1 encryption.

    SHA-1 is a hashing Algorithm, not an Encryption Algorithm. Really people. How do you expect anyone to become educated if everything they see is inaccurate to begin with?

    http://en.wikipedia.org/wiki/H... [wikipedia.org]
    http://en.wikipedia.org/wiki/E... [wikipedia.org]

    The short story is that hashing is to prove information has not been altered. Encryption is to keep information secret. Both technologies are used to ensure a secure information exchange experience.

  • Poster says "phasing out support for certificates using SHA-1 encryption" SHA-1 is a hash function not an encryption function.

Mausoleum: The final and funniest folly of the rich. -- Ambrose Bierce

Working...