Welcome to WebmasterWorld Guest from 54.161.53.213

Forum Moderators: phranque

Message Too Old, No Replies

SHA-1 Defeated

     
1:55 pm on Feb 23, 2017 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member brotherhood_of_lan is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Jan 30, 2002
posts:4864
votes: 13


[security.googleblog.com...]

For the tech community, our findings emphasize the necessity of sunsetting SHA-1 usage. Google has advocated the deprecation of SHA-1 for many years, particularly when it comes to signing TLS certificates. As early as 2014, the Chrome team announced that they would gradually phase out using SHA-1. We hope our practical attack on SHA-1 will cement that the protocol should no longer be considered secure.
5:46 pm on Feb 23, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member Top Contributors Of The Month

joined:Apr 1, 2016
posts: 938
votes: 231


This is just crazy stuff, and I amnot sure what is more crazy the Math or the Computer Science.
Nine quintillion (9,223,372,036,854,775,808) SHA1 computations in total
10:12 pm on Feb 23, 2017 (gmt 0)

Full Member

Top Contributors Of The Month

joined:Nov 13, 2016
posts: 348
votes: 50


Some will certainly come and argue that this is #*$!, and that Google is pushing people to use other encryption algorithms to make more money...
10:35 pm on Feb 23, 2017 (gmt 0)

Senior Member from NL 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Sept 25, 2005
posts:1479
votes: 192


Cryptography is a mind-boggling affair, and I'm glad other people bother with it so I don't have to :-)
6:03 am on Feb 24, 2017 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Nov 16, 2005
posts:2648
votes: 85


@Dimitri - how would Google profit from this?
10:52 am on Feb 24, 2017 (gmt 0)

Senior Member from NL 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Sept 25, 2005
posts:1479
votes: 192


They wouldn't, of course, but I think that's his point.
12:31 pm on Feb 24, 2017 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member tangor is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 29, 2005
posts:7646
votes: 519


More commentary

'First ever' SHA-1 hash collision calculated. All it took were five clever brains... and 6,610 years of processor time


[theregister.co.uk...]
1:15 pm on Feb 24, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member Top Contributors Of The Month

joined:Apr 1, 2016
posts: 938
votes: 231


However, it is not beyond the reach of a large corporation or intelligence agency to forge a TLS certificate, a Git repo...


Forge a GIT repo! There must be a few nervous tech companies around, wondering whether their code is safe? The door opened by this vulnerability is huge. One could steal the code outright. But far worse you could inject malware into the code without anyone ever knowing, steal customer data, spy on users, a Stuxnet type attack could be carried out without requiring physical contact with the computer (assuming code base for the attack is repoed on GIT).
2:34 pm on Feb 24, 2017 (gmt 0)

Full Member

Top Contributors Of The Month

joined:Nov 13, 2016
posts: 348
votes: 50


My comment was a joke, as a reference to the discussions held at the HTTPS topic :-)
4:43 pm on Feb 24, 2017 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member tangor is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 29, 2005
posts:7646
votes: 519


@Dimiri: Jokes are harder to perceive in these desperate daze! (sic)
11:42 pm on Feb 24, 2017 (gmt 0)

Senior Member from NL 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Sept 25, 2005
posts:1479
votes: 192


FYI: WebmasterWorld has an intermediate certificate with a weak SHA-1 signature in its chain.
4:34 am on Feb 25, 2017 (gmt 0)

Moderator

WebmasterWorld Administrator ergophobe is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Apr 25, 2002
posts:8492
votes: 224


Uh Oh... Of course, for right now, probably not many people outside of Google and government actors can exploit that, but time to get the house in order.
8:48 am on Feb 25, 2017 (gmt 0)

Senior Member from NL 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Sept 25, 2005
posts:1479
votes: 192


True, but browsers are expected to drop SHA-1 soon, so you might lose your padlock.
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members