Announcement

Collapse
No announcement yet.

Google Works To Sunset SHA-1 In Chrome

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Google Works To Sunset SHA-1 In Chrome

    Phoronix: Google Works To Sunset SHA-1 In Chrome

    Google will begin warning users when accessing HTTPS sites whose certificate chains are using SHA-1, due to this cryptographic hash algorithm being weak...

    http://www.phoronix.com/vr.php?view=MTc4MTk

  • #2
    And will google warn users if accessing via http? Because it is easy to proof that https with sha1 has at least same security as http.

    Comment


    • #3
      Originally posted by pali View Post
      And will google warn users if accessing via http? Because it is easy to proof that https with sha1 has at least same security as http.
      No because https which is insecure lures users with a false sense of insecurity

      Comment


      • #4
        I'd prefer DNSSEC and DANE support

        Getting the bigger number in the crypto is great, but there are some really cool new technologies coming through based on DNSSEC and DANE. With these, the SSL certificate gets linked with your ownership of the DNSSEC record keys. That is, you can configure an IP address *and* certificate hash when you register your domain, and DNSSEC handles the rest.

        Comment


        • #5
          Do any common sites still use SHA-1?

          Comment


          • #6
            Originally posted by My8th View Post
            Do any common sites still use SHA-1?
            Just checked the following sites and they all have SHA-1 certs:
            https://www.microsoft.com/en-us/default.aspx
            https://www.bankofamerica.com/
            https://www.yahoo.com/
            https://www.google.com/ (Expires November 24, 2014)

            SHA1 still makes up the overwhelming majority of SSL Certificates out there. Most CA's didn't start issuing SHA-2 certificates until earlier this year. I suspect some companies will be hesitant to jump to SHA2 since there are some compatibility issues especially with legacy systems like Windows Server 2003.

            Comment


            • #7
              Originally posted by My8th View Post
              Do any common sites still use SHA-1?
              Healthcare.gov

              Comment


              • #8
                Originally posted by halfmanhalfamazing View Post
                Healthcare.gov
                now that made me chuckle

                Comment


                • #9
                  What about git, is it there still considered ok?

                  Comment


                  • #10
                    From Wikipedia:
                    Best public cryptanalysis
                    A 2011 attack by Marc Stevens can produce hash collisions with a complexity of 2^61 operations.[1] No actual collisions have yet been produced.
                    This is more about being cautious (nobody knows what NSA has developed internally) then real threat.

                    EDIT: After all, SHA-1 was developed by NSA (note, this does not mean that there's a backdoor here, NSA also cares for security of US systems).

                    Comment

                    Working...
                    X