Announcement

Collapse
No announcement yet.

Google Works To Sunset SHA-1 In Chrome

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • #11
    Originally posted by RahulSundaram View Post
    No because https which is insecure lures users with a false sense of insecurity
    Most users have no sense of security anyway, and rubbish like secret questions and answers does far more to cause a false sense of security than SHA-1. A theoretically vulnerable algorithm that thus far has required enormous computing power to come close to a collision is better than requiring nothing more than to sit in between two hosts and collect the traffic.

    Comment


    • #12
      Originally posted by opensource View Post
      What about git, is it there still considered ok?
      It's considered unsuited for crypto, but that doesn't mean it's not a perfectly adequate hashing algorithm for other purposes.

      Comment


      • #13
        I don't know much about crypto algorithms, but from what I gather SHA1 is weak and unsuitable for signing. Should I be worried then? This, for instance, is Google's gmail: "Signature algorithm SHA1withRSA" https://www.ssllabs.com/ssltest/anal...74.125.239.117

        Comment


        • #14
          Originally posted by Delgarde View Post
          It's considered unsuited for crypto, but that doesn't mean it's not a perfectly adequate hashing algorithm for other purposes.
          No, I mean git uses sha1 internally (AFAIK).

          Comment


          • #15
            Originally posted by halfmanhalfamazing View Post
            Originally posted by My8th View Post
            Do any common sites still use SHA-1?
            Healthcare.gov
            *goes to confirm*
            yep it does, however "This change is about SHA-1-signed certificates that don't expire until after 1 January 2017"
            The Healthcare.gov one expires now +1 year and 4 days, which would be in September of 2015

            Comment


            • #16
              Originally posted by opensource View Post
              No, I mean git uses sha1 internally (AFAIK).
              Git SHA-1 usage isn't really a security-feature, it's just a hash that's very unlikely (virtually impossible) to produce accidental collisions.

              Comment


              • #17
                Originally posted by kusma View Post
                Git SHA-1 usage isn't really a security-feature, it's just a hash that's very unlikely (virtually impossible) to produce accidental collisions.
                I guess so too.

                Comment


                • #18
                  Originally posted by pqwoerituytrueiwoq View Post
                  *goes to confirm*
                  yep it does
                  *falls on the floor*

                  I was only kidding! LOLOL But I guess considering that the site was recently hacked, that just goes into the pot as one of the reasons.

                  Really, I guess I should be laughing because with government controlled healthcare, the joke is on us.

                  Comment


                  • #19
                    Originally posted by opensource View Post
                    No, I mean git uses sha1 internally (AFAIK).
                    Yes, that's why I said that. SHA-1 hashing isn't considered good enough for crypto these days, because finding collisions has become relatively computationally cheap, and the ability to deliberately find collisions for hashed passwords is a problem. But that doesn't matter for git, because it's not using SHA-1 for crypto (or for security in general)... it's just using it to generate a kind of identifier from the contents of a commit.

                    Comment


                    • #20
                      Originally posted by My8th View Post
                      Do any common sites still use SHA-1?
                      https://www.sha2sslchecker.com/index.php/facebook.com (sha1WithRSAEncryption)

                      Other popular websites those are using sha1WithRSAEncryption...

                      www.nasa.gov
                      www.hsbc.com
                      www.amazon.com
                      www.taobao.com

                      Most websites still using SHA1 from this list - http://en.wikipedia.org/wiki/List_of...pular_websites

                      Comment

                      Working...
                      X