Obsolete Cipher Suite Message

BRRABill

As I've been doing more research into VPNs and SSLs, I've come across the following (in Chrome) in a lot of sites.

Is this something to be concerned about? I thought maybe it was something on my browser end, but then why are some OK and some not?

I Googled and it looks to be something on the server side, but why would these larger companies not have fixed that?

Examples:
https://www.microsoft.com - obsolete
https://www.godaddy.com - obsolete
https://www.linuxmint.org - modern
https://www.digitalocean.com - modern

jospoortvliet

This is essentially telling you that the encryption your browser negotiated with the website in question is getting old - it might not yet have been compromised but the general confidence in its protection is quite low and you should avoid using it for things where you really need to be certain of the protection encryption offers.

Say you download software and you need to be sure it ain't compromised - take this warning serious. Not as home user, probably, unless you are banking (your bank REALLY ought to use newer ciphers). But as business - it isn't unreasonable to kick Microsoft for this, you're downloading software from their site.

BRRABill

@jospoortvliet said i

But as business - it isn't unreasonable to kick Microsoft for this, you're downloading software from their site.

And this isn't just their home page, it is on ODfB and SharePoint.

BRRABill

I've become obsessed with checking this on every HTTPS site.

Perhaps I need more hobbies.

scottalanmiller

I hear good things about Warhammer 40K

Dashrender

@scottalanmiller said in Obsolete Cipher Suite Message:

I hear good things about Warhammer 40K

thread bleed?

Never mind - I missed @BRRABill hobby comment.

BRRABill

@Dashrender said

Never mind - I missed @BRRABill hobby comment.

It was just a way to BUMP my thread.

I was surprised no one commented with something that seems so serious being exhibited on some major websites.

tonyshowoff

This post is deleted!

tonyshowoff

@BRRABill said in Obsolete Cipher Suite Message:

I've become obsessed with checking this on every HTTPS site.

Perhaps I need more hobbies.

lol I do that.

Dashrender

Chrome (through Google's security team) is pushing the industry to stronger standards, some argue, faster than is needed. Personally I'm on board with Google. Without the weight of someone like Google pushing this, things just don't happen until it's way past a useful change.

In this case, SHA-1 has still not been short circuited from a hacking perspective so the risk is truly minimal.

There are several Security Now podcasts about this topic. Steve Gibson road out his SHA-1 cert until Dec 31 of last year to allow those people who are using old ass browsers like IE on XP and the built-in browser on Android 2.1. Those browsers don't support SHA-256, and since there was no current real threat, Steve felt it best to be available as long as possible.

Now the industry as a whole is moving away from the SHA-1 certs, but they are still valid until the end of this year I believe.

https://isc.sans.edu/forums/diary/SHA1+Phase+Out+Overview/20423/

tonyshowoff

@Dashrender said in Obsolete Cipher Suite Message:

In this case, SHA-1 has still not been short circuited from a hacking perspective so the risk is truly minimal.

It has, for a long time: https://www.schneier.com/blog/archives/2005/02/sha1_broken.html

Dashrender

@tonyshowoff said in Obsolete Cipher Suite Message:

@Dashrender said in Obsolete Cipher Suite Message:

In this case, SHA-1 has still not been short circuited from a hacking perspective so the risk is truly minimal.

It has, for a long time: https://www.schneier.com/blog/archives/2005/02/sha1_broken.html

I'll read this in a min, but if this is what i heard about, there's a possible collision in something like the first half, or quarter or something.. which is a work toward the whole.. but definitely not a finished product by any means.

Dashrender

@tonyshowoff said in Obsolete Cipher Suite Message:

@Dashrender said in Obsolete Cipher Suite Message:

In this case, SHA-1 has still not been short circuited from a hacking perspective so the risk is truly minimal.

It has, for a long time: https://www.schneier.com/blog/archives/2005/02/sha1_broken.html

OK now I've read it.. interesting.. if this is really the case, then why isn't it getting more attention? And that was from 2005. Eleven years ago... this is borderline NSA/Snowden like stuff.

tonyshowoff

@Dashrender said in Obsolete Cipher Suite Message:

@tonyshowoff said in Obsolete Cipher Suite Message:

@Dashrender said in Obsolete Cipher Suite Message:

In this case, SHA-1 has still not been short circuited from a hacking perspective so the risk is truly minimal.

It has, for a long time: https://www.schneier.com/blog/archives/2005/02/sha1_broken.html

OK now I've read it.. interesting.. if this is really the case, then why isn't it getting more attention? And that was from 2005. Eleven years ago... this is borderline NSA/Snowden like stuff.

Well, MD5 was defeated as early as 1996, and to this day it's huge, and only recently did SHA-1 replace it in many places. So it's about the same timeframe, Google's on the right track like you said.

BRRABill

I don't think it is an SHA issue.

tonyshowoff

@BRRABill said in Obsolete Cipher Suite Message:

I don't think it is an SHA issue.

Yes it is, especially because of how fast you can actually collide in SHA-1. Consider, though, MD5 support for certificates wasn't even broadly removed until about 17 years after it was first found to be weak, I think Google just wants to speed things up. Me personally, I think we should all use SHA-512 (a part of SHA-2), it's what I use for everything I can. 256 will do though

BRRABill

@tonyshowoff

Is HMAC-SHA1 the same as SHA1?

tonyshowoff

@BRRABill No, and it's more secure than SHA-1, so long as the key is safe. The SHA1 part of HMAC-SHA1 refers to how it's calculated.

BRRABill

@tonyshowoff said in Obsolete Cipher Suite Message:

@BRRABill No, and it's more secure than SHA-1, so long as the key is safe.

The reason I asked because https://www.microsoft.com (for example) is using HMAC-SHA1.

Hence why I said it isn't a SHA-1 issue causing this, at least on that site, and others.

Or am I mistaken there?

tonyshowoff

@BRRABill said in Obsolete Cipher Suite Message:

@tonyshowoff said in Obsolete Cipher Suite Message:

@BRRABill No, and it's more secure than SHA-1, so long as the key is safe.

The reason I asked because https://www.microsoft.com (for example) is using HMAC-SHA1.

Hence why I said it isn't a SHA-1 issue causing this, at least on that site, and others.

Or am I mistaken there?

In this case there really is no difference as confusing as that is, but I don't see SHA-1 there, instead SHA-2 (256)