Re: Rejecting SHA-1 certificates

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> From: openssl-users [mailto:openssl-users-bounces@xxxxxxxxxxx] On Behalf Of Niklas Keller
> Sent: Monday, July 10, 2017 11:12
> To: openssl-users@xxxxxxxxxxx
> Subject: Re:  Rejecting SHA-1 certificates


> It's very well worth the effort, otherwise there's a security issue, because certificates can be forged.

Care to demonstrate that?

The SHAttered attack demonstrated an SHA1 collision using 1) an enormous amount of resources and 2) a file format with plenty of scope for manipulating the preimages. I'm not aware of any public demonstration showing anything close to a practical way of forging an X.509 certificate with an SHA1-based signature. Certificates have far less scope for manipulating the preimage.

It's always been possible to forge certificates. Generally that's been done by stealing the signing key from  a poorly-secured CA. The new marginal feasibility of producing SHA1 collisions does not significantly increase the forgery risk for X.509 certificates at present, since it's probably still too difficult - perhaps not even possible for any useful forgery (if the forged certificate had to carry a suspect amount of unexpected data, for example) - and certainly far too expensive to justify the vast majority of potential attacks.

A security vulnerability is meaningless outside the context of a threat model. Forging certificates with SHA1-based signatures is a very minor branch of the attack tree for nearly all certificate holders. CAs and browser vendors are getting rid of SHA1-based signatures now because the cost of being proactive is very small, and attacks only get better. That doesn't mean immediately screening out all SHA1-based certificates is justified under sensible threat models.

What's your threat model, and how does it justify this effort?

Michael Wojcik 
Distinguished Engineer, Micro Focus 


-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux