Jump to content
securitybreach

Exploit Fully Breaks SHA-1, Lowers the Attack Bar

Recommended Posts

securitybreach
Quote

 

A proof-of-concept attack has been pioneered that “fully and practically” breaks the Secure Hash Algorithm 1 (SHA-1) code-signing encryption, used by legacy computers to sign the certificates that authenticate software downloads and prevent man-in-the-middle tampering.

 

The exploit was developed by Gaëtan Leurent and Thomas Peyrin, academic researchers at Inria France and Nanyang Technological University/Temasek Laboratories in Singapore. They noted that because the attack is much less complex and cheaper than previous PoCs, it places such attacks within the reach of ordinary attackers with ordinary resources.

 

“This work shows once and for all that SHA-1 should not be used in any security protocol where some kind of collision resistance is to be expected from the hash function,” the researchers wrote. “Continued usage of SHA-1 for certificates or for authentication of handshake messages in TLS or SSH is dangerous, and there is a concrete risk of abuse by a well-motivated adversary. SHA-1 has been broken since 2004, but it is still used in many security systems; we strongly advise users to remove SHA-1 support to avoid downgrade attacks.”

 

Given the footprint of SHA-1, Leurent and Peyrin said that users of GnuPG, OpenSSL and Git could be in immediate danger. And, in backward compatibility scenarios, users can experience downgraded encrypted connections to the outdated hash function, which opens the door to attacks even in instances where SHA-1 isn’t the default.....

 

 

https://threatpost.com/exploit-fully-breaks-sha-1/151697/

  • Like 1
  • Sad 1
  • Thanks 1

Share this post


Link to post
Share on other sites
V.T. Eric Layton
30 minutes ago, securitybreach said:

GnuPG, OpenSSL and Git could be in immediate danger.

 

Oh, goody!

  • Like 1

Share this post


Link to post
Share on other sites
zlim

So who is still using this?

If your site is still using SHA-1 certificates, then visitors to your website in Chrome will be met with a warning. ... In addition to Chrome, other popular web browsers like Mozilla Firefox and Microsoft Edge have joined in blocking SHA-1 certificates in early 2017.
It is also been blocked in IE 11.

 

I guess only those who choose to ignore warnings would go to dangerous sites.

  • Like 1

Share this post


Link to post
Share on other sites
securitybreach

Well the problem is that lots of linux distros use them along with md5 to check their ISOs. As well as Github,  and others who still use SHA1.

  • Like 1

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...