The hashclash attack requires the CA to do more than just use SHA-1. They have to use a predictable serial number.
That is not an argument for not withdrawing SHA-1 toute haste. It is however a reason for folk not to do the usual headless chicken thing. Striking out SHA-1 effectively means the end of RSA1024 because every browser that can do SHA2 can almost certainly do RSA2048. There will probably be some niche cases that call for continuing to issue SHA-1 certs but only the genuine niche applications will want them at all once the browsers start rejecting them. On Fri, Jan 3, 2014 at 1:15 PM, Kurt Roeckx <[email protected]> wrote: > Hi, > > Microsoft has proposed to stop issueing new certificates using > SHA1 by 2016 in certificates. > ( > http://blogs.technet.com/b/pki/archive/2013/11/12/sha1-deprecation-policy.aspx > ). > > Mozilla also has a bug that even suggest to stop accepting some > new certificates in 3 months and stop accepting any in 2017. > https://bugzilla.mozilla.org/show_bug.cgi?id=942515 > > But it's unclear if this is really a policy or just what some > people think should happen. > > This seems to also recently have been discussed in the CA/Browser > forum, but I have a feeling not everybody sees the need for this. > https://cabforum.org/2013/12/19/2013-12-19-minutes/ > > I want to point out the that SHA1 is broken for what it is used in > certificates. SHA1 should have a collision resistance of about > 2^80 but the best known attack reduces this to about 2^60. In > 2012 it costs about 3M USD to break SHA-1, in 2015 this will only be > about 700K USD. See > https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html > > With a collision it's possible to create a rogue CA. See: > http://www.win.tue.nl/hashclash/rogue-ca/ > > This is only based on what is the best know attack currently > publicly known. There might be other attacks that we don't > know about yet even further reducing the cost, specialised > hardware and so on. > > This is just waiting to either happen or until someone finds out > that it did happen. > > I would like to encourage everybody to start using SHA2 in > certificates as soon as possible, since that's clearly the > weakest part of the whole chain. > > This is more important that stopping to use 1024 RSA keys since > they still have a complexity of 2^80. But you really should > also stop using that. > > Can someone please try to convince the CAB forum about the need > for this? > > > Kurt > > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy > -- Website: http://hallambaker.com/ _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
