Google has announced its timeline for
deprecating SHA-1 certificates, despite concerns expressed recently that
sunsetting the broken encryption hashing algorithm will disconnect millions
from the Internet.
SHA-1’s demise has
been accelerated in recent months since researchers published a paper
explaining that practical collision attacks could be months, instead of years,
away.
Google, on Friday,
announced that starting with Chrome 48 in early January, users will see error
messages displayed if the browser encounters a site signed with a SHA-1
certificate issued on or after Jan. 1, 2016, 11 days from today. By Jan. 1,
2017, or possibly even as early as July 1, 2016, SHA-1 will be blocked
altogether in Chrome. Microsoft has already announced it will start blocking SHA-1-signed certs in June 2016.
At this point,
sites that have a SHA-1-based signature as part of the certificate chain (not
including the self-signature on the root certificate) will trigger a fatal
network error,” Google said in its announcement. “This includes certificate chains that
end in a local trust anchor as well as those that end at a public CA.”
Microsoft and Mozilla are on similar
timelines for ending support for SHA-1, and urge site operators to support
SHA-2, drop support for non-RC4 cipher suites, and implement TLS.
In the meantime, Facebook and CloudFlare recently made public pleas to reexamine
the path forward on SHA-1. Facebook chief security officer Alex Stamos shared
data that shows that up to 7 percent of browsers in use do not support SHA-256,
for example, and that tens of millions will be cut off from the Internet as of
next Friday.
“A disproportionate number of those
people reside in developing countries, and the likely outcome in those counties
will be a serious backslide in the deployment of HTTPS by governments,
companies and NGOs that wish to reach their target populations,” Stamos wrote.
CloudFlare CEO Matthew Prince,
meanwhile, made his case by pointing out that unlike when MD5 was put out to
pasture and SHA-1 support was widespread, the same cannot be said for SHA-2,
which is also not supported on older mobile devices.
“In a Silicon Valley tech company,
where most employees get a new laptop every year and having a 5-year-old phone
is unheard of, this may not seem like a problem. But the Internet is used by
billions of people around the world and most of them don’t have the latest
technology,” Prince said. “To understand the impact, we spent the last few
weeks testing browser connections to CloudFlare’s network for SHA-2 support. We
see approximately 1 trillion page views for more than 2.2 billion unique
visitors every month, which gives us a pretty representative sample of global
traffic.”
Prince said approximately 37 million
could be cut off from the Internet by the SHA-1 deprecation. Stamos, meanwhile,
proposed that the CA/Browser Forum create a new Legacy Verified certificate
that would issued to organizations that have made SHA-256 certs available to
moder browsers.
“Such verification can be automated
or manual, and appropriate measures can be put in place to reduce the risk of a
collision attack. Those protections could include requiring LV applicants to
have already passed OV or EV verification, as well as technical best practices
such as serial number randomization,” Stamos wrote. “If this change cannot be
implemented by December 31st, then we call on the CA/B Forum to delay the
implementation of the SHA-1 rules for the period necessary to establish
standards for Legacy certificates.”
The rush began in
earnest in October when an academic paper demonstrated with some measure of
practicality that tweaks to existing attacks and advances in the analysis of
SHA-1 drastically reduce the cost and time to generate a collision attack
against SHA-1, dropping the cost down to between $75,000 and $100,000 USD and
trimming down the time to between 49 and 78 days, both well within reach of
resourced nation-state attackers and higher end cybercrime outfits.
“This is not an easy issue, and there
are well-meaning people with good intentions who will disagree,” Stamos said.
“We hope that we can find a way forward that promotes the strongest encryption
technologies without leaving behind those who are unable to afford the latest
and greatest devices.”
0 comments:
Post a Comment