2017-07-10 19:30 GMT+02:00 Michael Wojcik <Michael.Wojcik@xxxxxxxxxxxxxx>:
> From: openssl-users [mailto:openssl-users-bounces@openssl.org ] On Behalf Of Niklas Keller
> Sent: Monday, July 10, 2017 11:12
> To: openssl-users@xxxxxxxxxxx
> Subject: Re: Rejecting SHA-1 certificates
> It's very well worth the effort, otherwise there's a security issue, because certificates can be forged.
Care to demonstrate that?
I'm not sure how feasible that is for either SHA1 or MD5.
The SHAttered attack demonstrated an SHA1 collision using 1) an enormous amount of resources and 2) a file format with plenty of scope for manipulating the preimages. I'm not aware of any public demonstration showing anything close to a practical way of forging an X.509 certificate with an SHA1-based signature. Certificates have far less scope for manipulating the preimage.
It's always been possible to forge certificates. Generally that's been done by stealing the signing key from a poorly-secured CA. The new marginal feasibility of producing SHA1 collisions does not significantly increase the forgery risk for X.509 certificates at present, since it's probably still too difficult - perhaps not even possible for any useful forgery (if the forged certificate had to carry a suspect amount of unexpected data, for example) - and certainly far too expensive to justify the vast majority of potential attacks.
Probably true, yes.
A security vulnerability is meaningless outside the context of a threat model. Forging certificates with SHA1-based signatures is a very minor branch of the attack tree for nearly all certificate holders. CAs and browser vendors are getting rid of SHA1-based signatures now because the cost of being proactive is very small, and attacks only get better. That doesn't mean immediately screening out all SHA1-based certificates is justified under sensible threat models.
What's your threat model, and how does it justify this effort?
The same as for browsers I guess. Could you explain why browsers and Java disable SHA1, but it's not worth for me doing so?
Regards, Niklas
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users