securitybreach Posted January 18, 2020 Share Posted January 18, 2020 Quote A proof-of-concept attack has been pioneered that “fully and practically” breaks the Secure Hash Algorithm 1 (SHA-1) code-signing encryption, used by legacy computers to sign the certificates that authenticate software downloads and prevent man-in-the-middle tampering. The exploit was developed by Gaëtan Leurent and Thomas Peyrin, academic researchers at Inria France and Nanyang Technological University/Temasek Laboratories in Singapore. They noted that because the attack is much less complex and cheaper than previous PoCs, it places such attacks within the reach of ordinary attackers with ordinary resources. “This work shows once and for all that SHA-1 should not be used in any security protocol where some kind of collision resistance is to be expected from the hash function,” the researchers wrote. “Continued usage of SHA-1 for certificates or for authentication of handshake messages in TLS or SSH is dangerous, and there is a concrete risk of abuse by a well-motivated adversary. SHA-1 has been broken since 2004, but it is still used in many security systems; we strongly advise users to remove SHA-1 support to avoid downgrade attacks.” Given the footprint of SHA-1, Leurent and Peyrin said that users of GnuPG, OpenSSL and Git could be in immediate danger. And, in backward compatibility scenarios, users can experience downgraded encrypted connections to the outdated hash function, which opens the door to attacks even in instances where SHA-1 isn’t the default..... https://threatpost.com/exploit-fully-breaks-sha-1/151697/ 1 1 1 Quote Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted January 18, 2020 Share Posted January 18, 2020 30 minutes ago, securitybreach said: GnuPG, OpenSSL and Git could be in immediate danger. Oh, goody! 1 Quote Link to comment Share on other sites More sharing options...
zlim Posted January 19, 2020 Share Posted January 19, 2020 So who is still using this? If your site is still using SHA-1 certificates, then visitors to your website in Chrome will be met with a warning. ... In addition to Chrome, other popular web browsers like Mozilla Firefox and Microsoft Edge have joined in blocking SHA-1 certificates in early 2017. It is also been blocked in IE 11. I guess only those who choose to ignore warnings would go to dangerous sites. 1 Quote Link to comment Share on other sites More sharing options...
securitybreach Posted January 19, 2020 Author Share Posted January 19, 2020 Well the problem is that lots of linux distros use them along with md5 to check their ISOs. As well as Github, and others who still use SHA1. 1 Quote Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted January 19, 2020 Share Posted January 19, 2020 By the way, Josh... I thought this sounded familiar, but my over 50 brain couldn't remember, so I had to search. Seems that SHA1 has been compromised for quite some time already... https://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.