SHA-1 Cutoff Could Block Millions of Users From Encrypted Websites

itwbennett writes: As previously reported on Slashdot, browser makers are considering an accelerated retirement of the older and increasingly vulnerable SHA-1 function. But Facebook and CloudFlare are warning some 37 million users of old browsers and operating systems that don't support SHA-2 will be left without access to encrypted websites. The majority of them are located in some of the "poorest, most repressive, and most war-torn countries in the world," CloudFlare's CEO Matthew Prince said Wednesday in a blog post. Facebook has solved this problem by building a mechanism that allows its certificates to be switched automatically based on the browser used by the visitor.

Pretty sure...

[Anonymous Coward]

That even Windows XP support the latest browsers still... or at least some variant of them.
If they don't want to move on from IE 6, that's their god damn problem.

Re:Pretty sure...

[Locke2005]

Problem for PCs is not browser availability or cost, problem is that for some people downloading a GByte of data to install a new browser is not feasible. Also, browsers are in everything now, including smartphones, smart TVs, and Nintendo DS, so you're stuck with what the hardware vendor supplies you. (Don't get me started on my Smart TV not showing videos because most hosts support video using Adobe Flash only, and Adobe refuses to license flash to most hardware manufacturers. HTML5 has been a standard for how many years now?)

Re:

[Anonymous Coward]

Errr... a GByte of data? Are you missconfussed with the pushed Windows 10 update?

Firefox was less than 50MB last time I did a full install.

The real problem in this case may end being that the overbloated browsers drop support for older systems.

Re:

[Anonymous Coward]

When you can't access most websites because your browser only supports SHA-1, you may find you have a lot of capacity left on your monthly limit...

Re:

[DarkTempes]

If your monthly limit is 100MB then you might as well not even use a graphical browser and stick with lynx or links2.

The average web page (before cache) is over 1MB.

Re:

[CrashNBrn]

Has nothing to do with Adobe not licensing to "most hardware manufacturers." You bought a smart-TV. It will most-likely never get a firmware update, and the DRM-scheme for Flash streaming was updated --- Flash "broke" on your "smart' TV... as it's not really "smart" --- its a locked content device.

Think of all the Oracle users?

[mveloso]

Some of the older Oracle products only support SHA-1. Upgrading to a newer version or Oracle will cost them millions. Won't someone think of the Oracle user base?

Free Oracle upgrades available everywhere

[Anonymous Coward]

Some of the older Oracle products only support SHA-1. Upgrading to a newer version or Oracle will cost them millions. Won't someone think of the Oracle user base?

Nonsense. Postgres is free.

Re:Free Oracle upgrades available everywhere

[mveloso]

Porting from Oracle to Postgres is free too, if you want everything to break.

Is the Oracle to pgSQL upgrade fully compatible?

[tepples]

Postgres is free.

PostgreSQL is free until the application that you just tried to migrate from Oracle Database to PostgreSQL throws a syntax error. Then it costs time (which is money) to fix the apps if they're in-house or free, or it costs money to either purchase an upgrade to add PostgreSQL compatibility to a proprietary application or to migrate entirely from a proprietary application for which PostgreSQL compatibility is not available. Or does PostgreSQL's PL/pgSQL parser accept all PL/SQL and MySQL syntax to allow it t

Asking for it

[Anonymous Coward]

Oracle users deserve all the pain they can get!
Don't complain of neck pain after hanging yourself.

Re:

[jellomizer]

Serves them right.

When will people stop and realize not to dig yourself into a vendor only based solution.

Re:

[ilsaloving]

Well admittedly, having to pay sudden exorbitant fees is something that Oracle users are not wholely unfamiliar with. They've probably already have contigency plans.

Facebook -- ???

[plover]

So let me see if I understand Facebook's approach here: there are non-secure certificates. Facebook will fix the problem by downgrade connections to use non-secure certificates. Bad guys would never pretend to need a non-secure certificate. Therefore, Facebook remains safe?

Re:

[bluefoxlucid]

Pretty much, yes. Facebook supports SHA1 certificates, same situation as yesterday.

Re:

[Locke2005]

Sure, but... who cares if someone's Facebook account gets hacked? Hell, a lot of people log into Facebook on other people's devices (e.g. in stores) and leave themselves logged in!

Persistence != certificate forgery

[tepples]

Persistent login is a completely orthogonal problem to TLS certificate forgery. What's going on is that Mozilla and Facebook are continuing to make SHA-1 access available and dealing with forgeries on a reactive basis until enough of the user base has migrated to allow the proactive approach of allowing only SHA-256 access.

Re:Facebook -- ???

[Errol backfiring]

My first thought was a kind of "degrading man in the middle" attack. Alter the requests so that non-secure certificates are negotiated, then tune in to the less secure communication while the browsers show that the connection is secure. You'd still need a lot of computing power to crack the SHA-1 encrypted stream, but for criminals, either government or otherwise, that is not a huge problem.

Re:Facebook -- ???

[Anonymous Coward]

Nope.

Here's how this spins out.

If you got a nice shiny new SHA-2-only browser, and you go to the real Facebook, it has a SHA-2 cert and everything works, and you're safe
If you got a crappy browser that can't handle SHA-2, and you go to the real Facebook, it shows a SHA-1 cert, which you trust, you are at risk, but only because you've got a crappy browser. Hate the risk? Get a newer browser
If you got a nice shiny new SHA-2-only browser and a bad guy pretends to be Facebook, sends the SHA-1 cert, your browser says "Ugh, insecure, No" and you're safe and the bad guy wasted their time
If you got a crappy browser that can't handle SHA-2 and a bad guy pretends to be Facebook, they might _if they spent a lot of money / resources_ fake you out. So you should have got a nice shiny new browser.

They can't do this reliably

[madbrain]

The problem with that is that there is no actual way to detect that an old browser doesn't support SHA-2.
For example, older versions of Firefox/NSS since 2003 have supported SHA-2 server certificates, but not SHA-2 in TLS cipher suites as the MAC algorithm, which wasn't specified until years later.

The TLS ClientHello message does not specify which types of hash algorithm the client supports for certificates, only the list of cipher suites that the client supports.

Thus, Facebook, or anyone else, has no way of determining if a client really doesn't support SHA-2 server certificates.

What they are probably doing is assuming that clients that don't support SHA-2 MAC in TLS cipher suites . But that's a wrong assumption. Many older clients will be downgraded to SHA-1 server certificates as a result, even though they support SHA-2 certificates. And they will have no way of knowing that this happened.

Re:

[petermgreen]

If a browser will trust SHA1 certificates then it doesn't really matter whether the legitimate site sends a SHA1 cert or a SHA2 cert. What matters is that they will accept a SHA1 cert from an attacker and there is nothing the legitimate site can do about that.

Re:

[Ed Tice]

I think the OP is referring to browsers that *won't* accept SHA1 but are improperly presented with it thus locking those users out. That may be a lesser percentage than those who will get locked out of SHA1 is done away with entirely.

Re:They can't do this reliably

[Ed Tice]

Rather than guess what they are probably doing, the source code is here. https://github.com/facebook/wa... [github.com] But you were pretty close. You're right that *some* browsers that *could* get an SHA2 certificate will get the SHA1 version. An improvement would be to present the SHA2 certificate if you're sure that the browser can accept it. Otherwise show the SHA1 certificate. Put a warning page up when presenting the SHA1 certificate suggesting that people upgrade browsers. For those that have older browsers that want the SHA2 certificate but are getting an SHA1, offer an alternative like sha2.facebook.com. I imagine that this is a very small set of users. And as has been mentioned already, certificate pinning is your friend.

Re:

[WaffleMonster]

The problem with that is that there is no actual way to detect that an old browser doesn't support SHA-2.
For example, older versions of Firefox/NSS since 2003 have supported SHA-2 server certificates, but not SHA-2 in TLS cipher suites as the MAC algorithm, which wasn't specified until years later.

The TLS ClientHello message does not specify which types of hash algorithm the client supports for certificates, only the list of cipher suites that the client supports.

Thus, Facebook, or anyone else, has no way of determining if a client really doesn't support SHA-2 server certificates.

It might be possible to fingerprint clients based on what they advertise.

Re:

[Antique Geekmeister]

> they might _if they spent a lot of money / resources_ f

It's not that much money. This article was from 2010, with the resources available then.

                http://www.geek.com/news/resea... [geek.com]

Re:

[DarkOx]

SHA-1 encrypted stream

SHA-1 is NOT used to encrypt the stream. Its used to authenticate the certificate. Some other cipher like RC4, AES, 3DES, etc is selected to encrypt the stream.

Re:

[DarkOx]

It might not be as bad as you think. If you have upgraded to a newer browser you probably can and should enable certificate pinning which would help you discover if you were being subjected to the sort of down grade attack you are describing.

OOTH it leaves the people using older technology with about the same security posture they had before.

The sad part being all those people in repressive regimes most likely need to be the most concerned. "The right thing to do" is probably go ahead and let them get cut

Re:

[tepples]

Certificate pinning doesn't help when each server in a load-balanced cluster generates its own private key and CSR and thus needs its own certificate. IIS is believed to do this by default [serverfault.com].

Re:

[DarkOx]

What??

That makes no sense if you using a 3rd party certificate authority, you will be either doing in bound SSL termination on the load balancer and put the cert there, or you will be copying the cert and its private key to each server in the farm.

If you are running a web farm you are not having IIS auto generate CSRs unless its only to make requests to an internal CA for the trust relationship between the servers and the balancer.

Re:

[tepples]

you will be either doing in bound SSL termination on the load balancer and put the cert there

And once your traffic has grown past one load balancer's capacity, you have to cluster your load balancers.

or you will be copying the cert and its private key to each server in the farm.

I guess some big banks are paranoid about letting any private key get exported from any machine.

Re:

[Ed Tice]

If you don't have a certificate, many server applications (I guess IIS included) will automatically generate one for you. It's not from a trusted CA and your browser will complain loudly about it. But if you accept *and pin* the certificate it guarantees against impersonation. That works fine for internal apps. For production sites, you don't use the auto-generated cert. What applications are doing is similar to what SSH does on new connections. As long as you can guarantee the authenticity of the fir

Paranoid about not exporting private key

[tepples]

For production sites, you don't use the auto-generated cert.

Correct: you export a CSR from the auto-generated keypair and use that to buy a certificate. Normally, you'd export one server's auto-generated keypair, export a CSR, buy the certificate, and import it to the other servers. But if you're paranoid about never exporting a private key, you'll end up with a separate certificate on each server in your load-balancing cluster.

Re:

[Antique Geekmeister]

Exporting the private keys is often done very poorly. I've certainly seen people email such certificates in plain text, and provide access to backups of load balancer backups with unencrypted local keys. Some web servers bother to require manual passwords at start time to unlock an encrypted private key, but I've seen only a very, very few high security sites do that.

Re:

[WaffleMonster]

So let me see if I understand Facebook's approach here: there are non-secure certificates. Facebook will fix the problem by downgrade connections to use non-secure certificates. Bad guys would never pretend to need a non-secure certificate. Therefore, Facebook remains safe?

No. The risk remains regardless of what individual sites do so long as the users browser remains willing to accept certificates signed with broken hash algorithms.

If your browser supports SHA-1 and Facebook uses only the most secure hash algorithm available an attacker can still pretend to be Facebook by leveraging SHA-1.

Fix is exclusively client side... servers just need to upgrade so that clients will continue to want to speak to them after clients no longer accept SHA-1.

Disable checkout for TLS 1.0 users with notice

[tepples]

Try this: Allow connections from TLS 1.2 and TLS 1.0. But if the server detects that the client has fallen back to obsolete TLS, display an interstitial page once in each session, explaining the situation in a manner that correctly yet politely places the blame:

Thank you for your interest in our products. It has come to our attention that your payment card issuer no longer supports the security measures built into $useragent. To protect your account from unauthorized payments, we have put checkout on hold t

Report your competitors

[tepples]

You'd better have a monopoly on the product you are selling or the customer will just decide "the hell with that" and buy from another site that is easier.

If you see your would-be customers leaving for competing merchants that blatantly violate PCI DSS, report each noncompliant merchant to the company that handles its payment processing. When competing merchants start either turning away customers in the same way or losing their merchant accounts, watch upgrade conversions increase.

Re:

[WaffleMonster]

To keep our PCI compliance we have to switch away from TLS1.0 and our processors basically forced us this year. So we had to get around that in a number of ... less than perfect ways.

To this day I'm unaware of a valid technical justification for the above change. I keep hearing irrelevant excuses about implementation bugs and or solved problems having been well understood and fixed for years. There seems to be no new discovery that has served to justify abandoning TLS 1.0. SHA-1 is at least supported by a coherent understandable problem.

Any scheme to probe clients to determine if they support only SHA-1 I'm in favor of so long as sites doing so warn customers and recommend upgrades.

Re:

[tom17]

The change in the PCI compliance was due to the reclassification of a vulnerability. To understand how this came about, you need to consider the following two vulnerabilities.

CVE-2011-3389 (BEAST attack)
CVE-2013-2566 (RC4 ciphers enabled)

CVE-2011-3389 has a CVSS v2 Base Score of 4.3.
Earlier this year, CVE-2013-2566 had a base score of 2.9.

Any vulnerability with a score higher than 4 is a PCI fail. As a result of this, PCI compliant TLS 1.0 servers were all using RC4 ciphers instead of CBC ciphers - pretty c

Re:

[WaffleMonster]

CVE-2011-3389 (BEAST attack)

As we all know this was worked around more than a decade ago and all browsers save an ancient Safari outlier are not vulnerable to it.

CVE-2013-2566 (RC4 ciphers enabled)

We all know that cipher suites can be turned on and off independent of TLS version.

CVE-2011-3389 has a CVSS v2 Base Score of 4.3.
Earlier this year, CVE-2013-2566 had a base score of 2.9.

Any vulnerability with a score higher than 4 is a PCI fail.

I would love for someone to provide a reference where in PCI a CVE scoring regime for PCI compliance is even mentioned.

Regardless these problems are not vulnerabilities when you turn off a broken cipher suite and implement workarounds having existed for more than a decade. Saying otherwise wou

Re:

[tom17]

As we all know this was worked around more than a decade ago and all browsers save an ancient Safari outlier are not vulnerable to it.

Yes, but due to the CVSS score, using CBC based ciphers in TLS 1.0 is a fail. Sure, the risks have been mitigated and they are good to use, but you can't if you want to be PCI compliant.

We all know that cipher suites can be turned on and off independent of TLS version.

Yes, but if you turn off the RC4 ciphers and turn off the CBC based ciphers in TLS 1.0, there are no TLS 1.0 browsers that have a compatible cipher. This results in TLS 1.0 browsers no longer working in such a configuration. Hence the problem here.

I would love for someone to provide a reference where in PCI a CVE scoring regime for PCI compliance is even mentioned.

Here you go - Page 22 [pcisecuritystandards.org]

"With a few exceptions (see the Compliance Determination

This is nonsensical fear mongering

[Anonymous Coward]

I have one of these old browsers, and I'm not being cut off of the we

Re:

[Anonymous Coward]

I have one of these old browsers, and I'm not being cut off of the we

You forgot the "%#$%@#$ NO CARRIER".

Slashdot will remain accessible

[Ksevio]

Fortunately, slashdot will remain accessible as it still hasn't entered the 2010's and added encryption yet!

Re:

[Bing Tsher E]

Slashdot doesn't even support unicode.

It doesn't need to, though, really.

Re:

[nitehawk214]

Slashdot doesn't even support unicode.

It doesn't need to, though, really.

That\u0027s what you think.

Re:

[fahrbot-bot]

Fortunately, slashdot will remain accessible as it still hasn't entered the 2010's and added encryption yet!

Get a grip. Not every connection on the web needs to be encrypted. I would argue that *most* connections on the web do not need to be encrypted - Slashdot for example. It's like TV stations bragging that even their news is in high-def - it's the fucking News.

Firesheep, meet Firegoat

[tepples]

Without encryption, anyone can sniff your session cookie, clone it, and post Goatse as fahrbot-bot.

Re:

[hawkinspeter]

It's well worth using encryption for every possible website if only to stop malicious parties from injecting payloads into the html coming back from servers.

Re:

[swillden]

Fortunately, slashdot will remain accessible as it still hasn't entered the 2010's and added encryption yet!

Get a grip. Not every connection on the web needs to be encrypted. I would argue that *most* connections on the web do not need to be encrypted - Slashdot for example.

Nonsense. There are multiple reasons that all connections need to be encrypted and authenticated.

One obvious one is to prevent malicious parties from injecting malicious payloads into your web pages. You think you're downloading a page from slashdot, but someone else modifies the data in transit, injects a XSS attack to gain access to the banking site you're logged into in another tab, or injects malicious content that exploits some security vulnerability in your browser or OS to pwn your system and add i

Re:

[WaffleMonster]

Nonsense. There are multiple reasons that all connections need to be encrypted and authenticated.

What I find amusing everything you mention is a problem in no way solved by the use of encryption.

One obvious one is to prevent malicious parties from injecting malicious payloads into your web pages.

You think you're downloading a page from slashdot, but someone else modifies the data in transit, injects a XSS attack to gain access to the banking site you're logged into in another tab

If banking site is vulnerable to CSRF you would think it would be in their own interests in fixing this before the problem is exploited the next time same user clicks the wrong link from a Google search or opens the wrong email.

or injects malicious content that exploits some security vulnerability in your browser or OS to pwn your system and add it to a massive botnet which DoSes the forces of goodness and light. Or, worse, installs the Yahoo toolbar.

If you encrypt all the transports nothing changes. People will still exploit vulnerabilities in all the same ways. The only way to fix this is to fix bugs and all deficiencies that all

Re:

[swillden]

One obvious one is to prevent malicious parties from injecting malicious payloads into your web pages.

You think you're downloading a page from slashdot, but someone else modifies the data in transit, injects a XSS attack to gain access to the banking site you're logged into in another tab

If banking site is vulnerable to CSRF you would think it would be in their own interests in fixing this before the problem is exploited the next time same user clicks the wrong link from a Google search or opens the wrong email.

The point is that the attack can be carried out without the user visiting any malicious site. Yes, the bank should fix its bugs, but enabling malicious injection of content into other sites opens up new attack vectors for the attacker who can manipulate your traffic. If I can convince you to connect to my public Wifi service (trivially easy to do in coffee shops and other areas that offer open Wifi) and you use a non-TLS service, then I don't have to figure out how to send you e-mail, or find some way to so

Re:

[WaffleMonster]

The point is that the attack can be carried out without the user visiting any malicious site.

The wire simply is not the instrument being leveraged against vast majority of users.

Re:

[theendlessnow]

But Google says every site needs to be encrypted. Must.... follow... google.... must.... follow..... google... must ..... follow...... google.....

Re:

[fahrbot-bot]

But Google says every site needs to be encrypted. Must.... follow... google.... must.... follow..... google... must ..... follow...... google.....

Google wants things encrypted to protect their ad and analytics revenue streams.

Re:

[ultranova]

Not every connection on the web needs to be encrypted.

"Anything you say may be used against you in a court of law."

It's like TV stations bragging that even their news is in high-def - it's the fucking News.

No, it's like TV stations keeping their front doors locked: just a sensible precaution.

If you read /., the NSA doesn't care about you

[mveloso]

By definition, anyone here is someone the NSA doesn't care about anyway, so who cares about encryption?

Re:

[tepples]

For a long time, Slashdot offered "subscriptions" that allowed ad-free use, and it redirected non-subscribers' HTTPS hits to HTTP because ad networks took so long to add encryption support. But over the past year at least, it has switched from a subscription model to offering reduced-ad access to users with Excellent karma, possibly on the basis that comments from Excellent users bring in more page views.

Re:

[swillden]

But over the past year at least, it has switched from a subscription model to offering reduced-ad access to users with Excellent karma, possibly on the basis that comments from Excellent users bring in more page views.

Slashdot has allowed users with Excellent karma to disable ads for a very long time. I don't recall how long, exactly, but it's several years. Well before subscriptions were introduced.

Re:

[GiMP]

Subscriptions were added in 2002. I think the ad-free for Excellent Karma users followed, but I could be mistaken. It's been well over a decade in either case.

Re:

[swillden]

I'm pretty sure I already had ads disabled when subscriptions were added. I remember wondering why I would pay to get the same thing I already had. Though I did actually subscribe for a while, mostly because the site was valuable and I wanted to support it. Getting to see articles a few minutes early was nice, too.

Re:

[theendlessnow]

True. And while slashdot comments aren't encrypted, most of them are obfuscated.

It will finally kill of IE 6

[jfdavis668]

At least we hope so.

How long has this warming been occurring?

[QuietLagoon]

Why should we downgrade the security of the internet for stragglers who refuse to update their security?

.
Maybe a loss of Internet access is just the jolt they need to get off their butt and upgrade.

facebook...solved...what?

[dAzED1]

Most web servers do that automatically. I'd be willing to bet that 99.999% of the web servers in use do, actually. Even the ones that can't do SHA-1 anymore, still have multiple levels they support; the server should negotiate for the highest shared level. Why is this being painted as some sort of innovation Facebook has miraculously engineered? (Effectively) every single web server and web browser out there is already doing this...

Re:

[JesseMcDonald]

If I understand the issue correctly, this isn't something that can be negotiated. The problem is the hash algorithm used by the CA to sign Facebook's public key, not hash used for the content itself (which would be negotiated). Under normal circumstances a site only has one CA-signed certificate which it presents to all clients. The problem is that new browsers won't accept certificates signed by the CA with a SHA-1 hash, while older browsers will reject certificates signed with SHA-2.

It's irrelevant

[Alioth]

It's irrelevant, anyway - PCI-DSS will mandate it at some point for any site that accepts credit cards (if it hasn't already: PCI-DSS already mandates that support for all versions of SSL is dropped, and "early TLS" is dropped - they've not defined "early TLS" but TLS 1.0 is known to be vulnerable to attacks already, and TLS 1.1 is structurally weak, so I bet within a year this will be clarified to mean "both TLS 1.0 and TLS 1.1 must not be enabled" by the webserver. By June 2016 you have to get rid of TLS 1.0 if you accept credit card payments.

Some quite recent browsers don't support TLS 1.2 by default (I think some fairly recent versions of Internet Explorer need TLS 1.2 switching on manually).

Re:

[roman_mir]

Never mind 2016, one of the payment processors that we are using (FirstData) forced us to turn off TLS1.0 back in June of this year!

Re:

[mysidia]

It's irrelevant, anyway - PCI-DSS will mandate it at some point for any site that accepts credit cards

It is already required by PCI-DSS to be using the proper encryption strength, which would be SHA-2 for TLS certificates, and using SHA-1 would clearly be strictly non-compliant with the PCI DSS requirements, since current vendor recommendations and best practices say not to use certificates with old weak hashing algorithms such as MD5 and SHA-1, and Google/Microsoft have already announced that SHA1 i

Re:

[Alioth]

Google Chrome already treats SHA-1 as insecure (big red crossed out HTTPS in the address bar). Unfortunately, one of the users of SHA-1 is my bank! The very same bank that insists we be PCI-DSS compliant.

Why is this even a problem?

[wardrich86]

You have to update eventually... let the old things rot. Why do we even have to support the old junk anymore?

Exactly how helpful is this?

[fuzzyfuzzyfungus]

Why, exactly, would it be a good thing to use some sort of janky hack to allow people to use encryption that we strongly suspect of being dangerously broken, or close to it?

Yes, it's unfortunate that there are people stuck on hardware or software that can't handle updated algorithms; but their ability to use encrypted communication is compromised by the fact that SHA1 is tottering, not by the fact that some servers might stop negotating connections using it. Is there some benefit I'm not understanding he

Already cut off

[mysidia]

that don't support SHA-2 will be left without access to encrypted websites.

This is much ado about nothing. The devices that cannot support it are dead ended already, They are not safe to use, so it makes sense that very soon they won't even be allowed to be used with SSL websites, even if the Webmaster wanted them to work. All the SSL websites I manage are already using SHA-2 certificates Besides you DONT use an OS without SHA2 support and have zero issues today

Also, the SHA-1 certs are consid

How does it work?

[manu0601]

How does Facebook/Cloudflare fallback mechanism work?

I have saw a few explanation here about SHA1 cipher negotiation, but this is about certificate, not cipher.

Re:

[Anonymous Coward]

"Most of the places that they say do not update are home of some of the worse kinds of people."

Sources? Even if this is true, the ratio of terrorist to non-terrorist is still probably quite small.

"And most of those relief agences are the ones that need it the most and can't afford to upgrade."

Wait, which is it? Relief agencies or 'worse kinds of people'?

Nice try. Brush up on your critical thinking and play again some time!

Re:

[Lord Apathy]

Two paragraphs dumbass.

The first paragraph refers to the worse kind of people, scammers and terrorist.

Second paragraph, relief agencies that are not counted as "the worse kind of people', nor are the people they are trying to help. The relief agencies that I'm talking about don't have the large budgets for non-essential stuff, like up to date computers. They have to rely on handed down computers. Most of these computers are really outdated, 200 MHz pentums or lower.

Re:

[PPH]

And most of those relief agences are the ones that need it the most and can't afford to upgrade.

Clicked 'Download Firefox Now'. Total cost: $0.

Tie up the phone line for two and a half hours

[tepples]

The Firefox installer is in the neighborhood of 40 MB [mozilla.org]. That's two and a half hours of tying up the phone line if you have v.90/v.92 dial-up, or a nonzero cost if your ISP charges per bit as many cellular and satellite ISPs do.

Re:

[PPH]

So, have the home office* burn a few CDs (or USB sticks) and circulate them around the field offices.

*Assuming NGO staff can be buggered to stop watching cat videos for as long as this will take.

Re:

[PPH]

Millions of third world Internet users are being deprived of HD porn and cat videos.

Re:

[Locke2005]

ISIS has their own computer help line. I'd say the terrorists have better IT support than most 'mericans...

Re:

[KGIII]

Maybe it's time for me to become a field agent for the CIA. I could go get a job at their IT field office and say stuff like, "That Windows 10 update offer? Yeah, I'm going to need you to click the ACCEPT button on that. Yes, I'll hold."

Re:

[Githaron]

What is the point of developing in the browser if you are only going to support one specific version from one specific vendor?

Re:

[tepples]

To work around software restriction policies (such as those implemented through AppLocker) that allow execution of DHTML applications but forbid local installation of native applications. It's the same reason that early Wii homebrew (such as WiiCade.com) relied on Flash and DHTML instead of native applications, which Nintendo forbade amateurs from developing, until the Twilight Hack blew open native homebrew.

Re:

[nitehawk214]

I fail to see how your organization failing to upgrade 10+ year out of date software is our problem.

Also... SharePoint. *ding*

Re:

[iamgnat]

Give the users some kind of feedback to know that SHA1 is being used by the site and that they should maybe get their shit together, but whether or not support is dropped should be up to the site administrator.

Cause that works so well for the existing "connection may not be secure" messages that the average person doesn't understand so they blindly continue on.

What I don't understand is that it is the browsers removing the access. If a website really wants to support the old clients/ciphers they are still free to do so.

What it really seems to be is that this will force some lazy sites to update their certs to not support only SHA-1. If so then they need to shut the hell up and protect their customers.

Re:

[petermgreen]

Why the hell do browser companies want to remove SHA1 support all together?

The whole point of a certificate is to validate that you are talking to the site you think you are talking to. If an attacker manages to obtain a certificate for facebook.com via a SHA1 collision attack then he can pose as facebook regardless of what certificate signature algorithm is used on the legitimate facebook server.

will they just stop support plain HTTP because HTTP is far more likely to be abused.

They aren't stopping it but they are trying to reduce the potential for abuse. Read up on http strict transport security.

Give the users some kind of feedback to know that SHA1 is being used by the site and that they should maybe get their shit together

Most users tend to ignore such feedback and even if they don't it

Service Workers; false sense of security

[tepples]

Seriously, whats next, will they just stop support plain HTTP because HTTP is far more likely to be abused.

They're heading in that direction. Service Workers are the new mechanism for a web application to continue to work during interruptions in the Internet connection, and browsers already forbid use of Service Workers delivered through HTTP unless they came from localhost.

But another difference has been repeated in previous articles about Perspectives, Convergence, WoSign, Let's Encrypt, and other means of working around the cost of avoiding MITM attacks on TLS. The difference between cleartext and low-grade T

Re:

[WaffleMonster]

- Website owners configure allowable ciphers on their websites, which presumably the configure based on their user requirements.
- Browsers negotiate strongest supported configurable ciphers advertised by websites.

Why the hell do browser companies want to remove SHA1 support all together? Seriously, whats next, will they just stop support plain HTTP because HTTP is far more likely to be abused.

This really isn't about negotiation of weak ciphers it is about weaknesses in trust chain that allow third parties to insert fake certificates undetected. No matter what you negotiate based on a broken chain of trust the result is a lie.... this includes any possible attempt at "secure negotiation" as the fruits are based upon the lie of a valid trust chain.

Re:

[sunderland56]

People running obsolete systems feed botnets and impede others from staying current.

This. The title of this article is very slanted; how about "SHA-1 Cutoff Will Shut Down Insecure Access" instead?

Re:Good

[tepples]

Can't upgrade because reasons? Go cry to whomever is creating that problem for you

Such crying would fall on deaf ears, as mobile device manufacturers routinely announced end of support not only for handsets that are still under 2-year financing but also for handsets that are still being sold in stores. And when "whomever" amounts to the "poorest, most repressive, and most war-torn countries in the world," as the article mentions, what recourse does one have?

Re:

[tlambert]

And when "whomever" amounts to the "poorest, most repressive, and most war-torn countries in the world," as the article mentions, what recourse does one have?

Ending the repression and the combat would seem to be one option.

Perhaps it's worth considering doing that?

End oppression. End war. Easier said.

[tepples]

poorest, most repressive, and most war-torn countries in the world

Go cry to whomever is creating that problem for you, and if that amounts to you then keep it to yourself.

what recourse does one have?

Ending the repression and the combat

How would affected end users go about that, given the gross wealth inequality endemic in those parts of the world?

Re:

[tepples]

Rocks don't do so well against firearms.

Re: End oppression. End war. Easier said.

[Anonymous Coward]

Or paper. But I hear rock does well against scissors.

Re:

[Zontar The Mindless]

"You must be great fun at parties."

Re:

[93 Escort Wagon]

So, in other words, Slashdot is partially my fault?

Re:

[93 Escort Wagon]

Oh, good. I was worried somebody else was getting undue credit.