Originally posted by Delgarde
View Post
-
I don't know much about crypto algorithms, but from what I gather SHA1 is weak and unsuitable for signing. Should I be worried then? This, for instance, is Google's gmail: "Signature algorithm SHA1withRSA" https://www.ssllabs.com/ssltest/anal...74.125.239.117Leave a comment:
-
Most users have no sense of security anyway, and rubbish like secret questions and answers does far more to cause a false sense of security than SHA-1. A theoretically vulnerable algorithm that thus far has required enormous computing power to come close to a collision is better than requiring nothing more than to sit in between two hosts and collect the traffic.Originally posted by RahulSundaram View PostLeave a comment:
-
From Wikipedia:
This is more about being cautious (nobody knows what NSA has developed internally) then real threat.Best public cryptanalysis
A 2011 attack by Marc Stevens can produce hash collisions with a complexity of 2^61 operations.[1] No actual collisions have yet been produced.
EDIT: After all, SHA-1 was developed by NSA (note, this does not mean that there's a backdoor here, NSA also cares for security of US systems).Leave a comment:
-
Just checked the following sites and they all have SHA-1 certs:Originally posted by My8th View Post
https://www.microsoft.com/en-us/default.aspx
https://www.bankofamerica.com/
https://www.yahoo.com/
https://www.google.com/ (Expires November 24, 2014)
SHA1 still makes up the overwhelming majority of SSL Certificates out there. Most CA's didn't start issuing SHA-2 certificates until earlier this year. I suspect some companies will be hesitant to jump to SHA2 since there are some compatibility issues especially with legacy systems like Windows Server 2003.Leave a comment:
Leave a comment: