Skip to Content [alt-c]

October 8, 2015

I Don't Accept the Risk of SHA-1

Website operators have to configure a dizzying number of security properties for their website: protocol versions, TLS ciphers, certificate hash algorithm, and so on. Most of these properties provide an individual benefit: when you configure your server to require secure protocol versions and strong ciphers, connections to your website are immediately made more secure. It doesn't affect your website's security if some other schmuck is still using SSLv3 with RC4 and 1024 bit Diffie-Hellman on their website.

However, other security properties, particularly those related to certificates, provide more of a collective security benefit, where everyone's security is determined by the security of the lowest common denominator. A timely example is the hash algorithm used in certificate signatures. Until recently, SHA-1 was the most common algorithm. Unfortunately, SHA-1 is dangerously weak so the Internet is transitioning to the more secure SHA-2. Under the current deprecation schedule, certificate authorities must stop issuing SHA-1 certificates on January 1, 2016, and SHA-1 certificates that are issued before then must not be valid past January 1, 2017, which means that on January 1, 2017, browsers can stop trusting SHA-1 certificates.

Unfortunately, since this is a collective security property, there's nothing an individual website operator can do in the meantime to improve the security of their site. This site, www.agwa.name, uses a SHA-2 certificate, but the truth is that it's no more secure than a site using a SHA-1 certificate. That's because an attacker who can generate a SHA-1 collision can forge a SHA-1 certificate for www.agwa.name. Since so many websites still use SHA-1 certificates, and it's not 2017 yet, web browsers will accept the forged certificate and be none the wiser. None of us will be more secure until certificate authorities stop signing, and web browsers stop accepting, certificates with SHA-1 signatures.

For this reason, I was dismayed by the recent proposal from Symantec to allow certificate authorities to issue SHA-1 certificates through the end of 2016, because some of their "very large enterprise customers" can't complete the migration in time. Although their proposal would not change the date on which browsers would stop trusting SHA-1, it would extend the period during which new collisions could be created. This was troubling enough when the proposal was made last week, and is even more troubling in light of the research released today that estimates the cost of finding a SHA-1 collision on EC2 to be between just $75,000 and $120,000.

What made me really angry about the proposal was the following statement:

These customers accept the risk of continuing to use new SHA-1 certificates

"These customers" accept the risk? As I explained above, the use of SHA-1 is a collective risk shared by the entire Internet, not just the "very large enterprise customers" who want to keep using SHA-1. What about the rest of the Internet, who want their TLS connections to be secure and who have dutifully migrated to SHA-2 in time for the deadline? Did anyone ask them? I sure as hell don't accept the risk.

The statement is therefore vacuous and thoroughly unpersuasive to anyone who understands how certificates work. But to someone who doesn't understand or isn't reading too closely, it makes the proposal seem less bad for the Internet at large than it really is. I hope that the other members of the CA/Browser Forum see through this and reject the proposal.

Comments

Reader Thomas on 2015-10-09 at 09:51:

Hi,

I believe that the big CAs already have cross signed SHA2 intermediaries anyway already, is it not just a matter of "stamp your foot down" and insist on a SHA2 intermediary?

Fully agree, "accepting risk" is a really stupid argument. You cannot accept risk... "Yes, my car has a faulty tyre, the light doesn't work and the seatbelt isn't working, I accept the risk in driving 70mph in the middle of the night" - here it sounds stupid, really stupid.

I love this SHA1 thingy. And how "certain" people get wound up and disagree just to disagree it seems, like: http://lwn.net/Articles/132513/

Then there is also https://shaaaaaaaaaaaaa.com/ I found this once a long time ago.

Last but not least, I recently had to argue with my broadband supplier at home, as their site to download bills only supports TLS_RSA_WITH_RC4_128_MD5 as a cipher suite. Yeah, it is 2015, right? We are talking about SHA1 here.

Cheers

Tom

Reply

Andrew Ayer on 2015-10-09 at 15:59:

Accepting risk for yourself is fine. What isn't fine is accepting risk on behalf of other people, which is what happens when a vocal minority demands that the SHA-1 deprecation date be extended.

SHA-2 intermediates don't help. As long as CAs are signing with SHA-1, and web browsers are accepting SHA-1 certificates, everyone is vulnerable to SHA-1, even those who use a 100% SHA-2 chain. That's why it's so important to kill SHA-1 as soon as possible, and not extend the deadline.

Reply

Post a Comment

Your comment will be public. To contact me privately, email me. Please keep your comment polite, on-topic, and comprehensible. Your comment may be held for moderation before being published.

(Optional; will be published)

(Optional; will not be published)

(Optional; will be published)

  • Blank lines separate paragraphs.
  • Lines starting with > are indented as block quotes.
  • Lines starting with two spaces are reproduced verbatim (good for code).
  • Text surrounded by *asterisks* is italicized.
  • Text surrounded by `back ticks` is monospaced.
  • URLs are turned into links.
  • Use the Preview button to check your formatting.