Posted on 03/03/2017 2:32:11 AM PST by knarf
This is possibly why the latest Freepathons have taken so long - I know my own policies are generally to not continue with a transaction if such a certificate error is presented by a browser, and I’m sure that’s the case for many others. That does tend to reduce the number of users donating... :P
Google has broken SHA-1 encryption
By breakable, it means that the same hash can occur for two different websites/users. The odds are very low but it can happen. HTTPS requires that there be no hash collisions (problems can emerge from that) and also that it not be crackable (unencryptable by third parties). The odds of SHA-1 being crackable are low-to-moderate, though, by people with the right skills and hardware. At some point, SHA-1 will become universally forbidden across the internet.
If JohnRob is still on SHA-1, it is a relatively painless change to upgrade to SHA-2. I'm not sure about SHA-256 but I imagine it is as simple a process. It requires one change in the code (usually), and the use of a newly-issued secure site cert (in the appropriate flavor).
Justa, while you are officially correct, (NIST FIPS-104 compliance allows SHA-1) most of the Federal agencies are moving to SHA-2, 3, 254, or 256 on internal guidance.
Personally, I’d up the game to SHA-256. Probably just as much work and you should be good for 10-20 years, barring some major computer breakthrough.
Ok, thanks. That’s the same thing I told John *re this one. The last one finished much earlier. He said he’d get it done as soon as he possibly can. By the way, do you donate to FR by cc, paypal or mail-in check?
My organization has killed SHA-1 completely as of two years ago. There are several vulnerabilities associated with it.
Chrome is definitely enforcing the rejections of typically insecure certificates as part of the browser security model. They have also built in FIDO support for 2FA.
The guys who are going to be doing the attacking aren’t going to be renting Amazon Cloud time. They’re going to be using zombied computers in botnets of their own or hiring one.
You can hire a 400,000+ computer botnet from hackers: https://www.bleepingcomputer.com/news/security/you-can-now-rent-a-mirai-botnet-of-400-000-bots/
It doesn’t take any $110K, either.
People actually still trust checks to the US Mail????
CC or Paypal are my usual methods over the years.
You said earlier that this issue was as bad as writing your credit card number on the outside of something you sent through the US Post Office.
Obviously, you have a greatly exaggerated sense of truth.
Stop fear mongering and be truthful in your assessments. You hurt your credibility when you go off the charts with exaggerations.
Jim, it would take someone $110,000 in Amazon Cloud time to crack a single encrypted connection.
We have posters here that are overstating the truth of the matter.
However, an update on your end will be appreciated.
Oh, so SHA-1 was cracked by whom last year to have made browsers give warnings?
No one. You exaggerate out the butt.
I’m a computer developer and professional with many years in the Federal security space.
While SHA-1 is not forbidden, Federally, they are moving to make it non-FIPS-compliant at some point, and internal guidance is to take the 15 minutes and convert your app to SHA-3 or SHA-256.
It’s not QUITE an overstatement to say SHA-1 is insecure. If it is not insecure now, it will be shortly.
Think of conversion to a more robust security schema as a proactive move.
Actually, the warnings started in 2014-2015 as the vulnerability of SHA-1 was anticipated, but not proven. See the cited articles. Google just proved it last month.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.