By the way Gerv, in your flurry of posts to CA/B Forum public you comment "If I were going to calculate a SHA-1 collision, the certificate of a machine handling tens or hundreds of thousands of credit cards a day would be a reasonably obvious target, ISTM."
This would need a second pre-image attack. No such attack exists nor is thought likely to exist in the foreseeable future for SHA-1. I think you've misunderstood here (perhaps only momentarily). A collision attack is a very limited sort of attack, not capable of getting much value from any ordinary legitimate issuances. If not for this the whole SHA-1 Exception process would no doubt have been resisted firmly by Google's team who seem to have their fingers very much on the pulse. Collision only lets you make two documents, A and B, such that when A is signed the resulting signature may be instead fastened to B and appear legitimate. The contents of B may be quite different from A, and the signer of A has no idea what they are. Of course to make use of this you need to get someone to sign document A. The SHA-1 Exception process makes the Subject jump through lots of hoops not merely because it is fun to see fools jump through hoops but because it gives us confidence that they aren't presenting document A for a collision attack. * We ask to see the entire tbsCertificate before it is signed (the first time around Symantec managed to screw this part up...) which lets us see if it has any suspicious properties, gibberish, unexplained padding, etc. * We ask for a waiting period, which gives us time to run tools specifically built to look for document A, finding for example weird patterns in the intermediate results inside the hash calculations, and also to go back and ask for a slightly different tbsCertificate, not the one which was originally proposed, thereby destroying the value of any pre-computation done to create document A * We do the whole laborious process only on request. A real attacker would probably want to try many times, because often they have some statistics on their side if only they can try often enough or spend enough money. Insisting they try only rarely forces up the cost greatly. * We ask the Issuer (so far invariably Symantec) to produce the actual tbsCertificate based on details from the Subject, this means the only way it can be document A is if the Issuer and Subject collude (or are secretly one and the same) or if the Issuer is incompetent. * We want to talk to an actual representative of the Subject, and understand what they want this certificate for. A group actually seeking to get document A signed would doubtless want to remain anonymous because it will soon be apparent that they've conducted a swindle. So long as this hoop jumping continues, the practical risk from each SHA-1 Exception is very low. The problem is, the moral hazard creates the potential for so many exceptions to be requested that people start to wonder about automating it, and without all the hoop jumping the risks become quite serious. Like Uranium 235, SHA-1 is not very dangerous so long as it remains something a handful of careful people are using in small quantities under supervision, rather than something anybody can get for $19.99 by filling out a web form. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
