Announcement

Collapse
No announcement yet.

Google Works To Sunset SHA-1 In Chrome

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • pqwoerituytrueiwoq
    replied
    Originally posted by halfmanhalfamazing View Post
    Originally posted by My8th View Post
    Do any common sites still use SHA-1?
    Healthcare.gov
    *goes to confirm*
    yep it does, however "This change is about SHA-1-signed certificates that don't expire until after 1 January 2017"
    The Healthcare.gov one expires now +1 year and 4 days, which would be in September of 2015

    Leave a comment:


  • opensource
    replied
    Originally posted by Delgarde View Post
    It's considered unsuited for crypto, but that doesn't mean it's not a perfectly adequate hashing algorithm for other purposes.
    No, I mean git uses sha1 internally (AFAIK).

    Leave a comment:


  • halo9en
    replied
    I don't know much about crypto algorithms, but from what I gather SHA1 is weak and unsuitable for signing. Should I be worried then? This, for instance, is Google's gmail: "Signature algorithm SHA1withRSA" https://www.ssllabs.com/ssltest/anal...74.125.239.117

    Leave a comment:


  • Delgarde
    replied
    Originally posted by opensource View Post
    What about git, is it there still considered ok?
    It's considered unsuited for crypto, but that doesn't mean it's not a perfectly adequate hashing algorithm for other purposes.

    Leave a comment:


  • randomizer
    replied
    Originally posted by RahulSundaram View Post
    No because https which is insecure lures users with a false sense of insecurity
    Most users have no sense of security anyway, and rubbish like secret questions and answers does far more to cause a false sense of security than SHA-1. A theoretically vulnerable algorithm that thus far has required enormous computing power to come close to a collision is better than requiring nothing more than to sit in between two hosts and collect the traffic.

    Leave a comment:


  • Mat2
    replied
    From Wikipedia:
    Best public cryptanalysis
    A 2011 attack by Marc Stevens can produce hash collisions with a complexity of 2^61 operations.[1] No actual collisions have yet been produced.
    This is more about being cautious (nobody knows what NSA has developed internally) then real threat.

    EDIT: After all, SHA-1 was developed by NSA (note, this does not mean that there's a backdoor here, NSA also cares for security of US systems).

    Leave a comment:


  • opensource
    replied
    What about git, is it there still considered ok?

    Leave a comment:


  • DeepDayze
    replied
    Originally posted by halfmanhalfamazing View Post
    Healthcare.gov
    now that made me chuckle

    Leave a comment:


  • halfmanhalfamazing
    replied
    Originally posted by My8th View Post
    Do any common sites still use SHA-1?
    Healthcare.gov

    Leave a comment:


  • gregordinary
    replied
    Originally posted by My8th View Post
    Do any common sites still use SHA-1?
    Just checked the following sites and they all have SHA-1 certs:
    https://www.microsoft.com/en-us/default.aspx
    https://www.bankofamerica.com/
    https://www.yahoo.com/
    https://www.google.com/ (Expires November 24, 2014)

    SHA1 still makes up the overwhelming majority of SSL Certificates out there. Most CA's didn't start issuing SHA-2 certificates until earlier this year. I suspect some companies will be hesitant to jump to SHA2 since there are some compatibility issues especially with legacy systems like Windows Server 2003.

    Leave a comment:

Working...
X