ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Obsolete Cipher Suite Message

    IT Discussion
    5
    27
    3.1k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • BRRABillB
      BRRABill @Dashrender
      last edited by BRRABill

      @Dashrender said

      Never mind - I missed @BRRABill hobby comment.

      It was just a way to BUMP my thread.

      I was surprised no one commented with something that seems so serious being exhibited on some major websites.

      1 Reply Last reply Reply Quote 0
      • tonyshowoffT
        tonyshowoff
        last edited by

        This post is deleted!
        1 Reply Last reply Reply Quote 0
        • tonyshowoffT
          tonyshowoff @BRRABill
          last edited by

          @BRRABill said in Obsolete Cipher Suite Message:

          I've become obsessed with checking this on every HTTPS site.

          Perhaps I need more hobbies.

          lol I do that.

          1 Reply Last reply Reply Quote 0
          • DashrenderD
            Dashrender
            last edited by

            Chrome (through Google's security team) is pushing the industry to stronger standards, some argue, faster than is needed. Personally I'm on board with Google. Without the weight of someone like Google pushing this, things just don't happen until it's way past a useful change.

            In this case, SHA-1 has still not been short circuited from a hacking perspective so the risk is truly minimal.

            There are several Security Now podcasts about this topic. Steve Gibson road out his SHA-1 cert until Dec 31 of last year to allow those people who are using old ass browsers like IE on XP and the built-in browser on Android 2.1. Those browsers don't support SHA-256, and since there was no current real threat, Steve felt it best to be available as long as possible.

            Now the industry as a whole is moving away from the SHA-1 certs, but they are still valid until the end of this year I believe.

            https://isc.sans.edu/forums/diary/SHA1+Phase+Out+Overview/20423/

            tonyshowoffT 1 Reply Last reply Reply Quote 0
            • tonyshowoffT
              tonyshowoff @Dashrender
              last edited by

              @Dashrender said in Obsolete Cipher Suite Message:

              In this case, SHA-1 has still not been short circuited from a hacking perspective so the risk is truly minimal.

              It has, for a long time: https://www.schneier.com/blog/archives/2005/02/sha1_broken.html

              DashrenderD 2 Replies Last reply Reply Quote 0
              • DashrenderD
                Dashrender @tonyshowoff
                last edited by

                @tonyshowoff said in Obsolete Cipher Suite Message:

                @Dashrender said in Obsolete Cipher Suite Message:

                In this case, SHA-1 has still not been short circuited from a hacking perspective so the risk is truly minimal.

                It has, for a long time: https://www.schneier.com/blog/archives/2005/02/sha1_broken.html

                I'll read this in a min, but if this is what i heard about, there's a possible collision in something like the first half, or quarter or something.. which is a work toward the whole.. but definitely not a finished product by any means.

                1 Reply Last reply Reply Quote 0
                • DashrenderD
                  Dashrender @tonyshowoff
                  last edited by

                  @tonyshowoff said in Obsolete Cipher Suite Message:

                  @Dashrender said in Obsolete Cipher Suite Message:

                  In this case, SHA-1 has still not been short circuited from a hacking perspective so the risk is truly minimal.

                  It has, for a long time: https://www.schneier.com/blog/archives/2005/02/sha1_broken.html

                  OK now I've read it.. interesting.. if this is really the case, then why isn't it getting more attention? And that was from 2005. Eleven years ago... this is borderline NSA/Snowden like stuff.

                  tonyshowoffT 1 Reply Last reply Reply Quote 0
                  • tonyshowoffT
                    tonyshowoff @Dashrender
                    last edited by

                    @Dashrender said in Obsolete Cipher Suite Message:

                    @tonyshowoff said in Obsolete Cipher Suite Message:

                    @Dashrender said in Obsolete Cipher Suite Message:

                    In this case, SHA-1 has still not been short circuited from a hacking perspective so the risk is truly minimal.

                    It has, for a long time: https://www.schneier.com/blog/archives/2005/02/sha1_broken.html

                    OK now I've read it.. interesting.. if this is really the case, then why isn't it getting more attention? And that was from 2005. Eleven years ago... this is borderline NSA/Snowden like stuff.

                    Well, MD5 was defeated as early as 1996, and to this day it's huge, and only recently did SHA-1 replace it in many places. So it's about the same timeframe, Google's on the right track like you said.

                    1 Reply Last reply Reply Quote 0
                    • BRRABillB
                      BRRABill
                      last edited by

                      I don't think it is an SHA issue.

                      tonyshowoffT 1 Reply Last reply Reply Quote 0
                      • tonyshowoffT
                        tonyshowoff @BRRABill
                        last edited by tonyshowoff

                        @BRRABill said in Obsolete Cipher Suite Message:

                        I don't think it is an SHA issue.

                        Yes it is, especially because of how fast you can actually collide in SHA-1. Consider, though, MD5 support for certificates wasn't even broadly removed until about 17 years after it was first found to be weak, I think Google just wants to speed things up. Me personally, I think we should all use SHA-512 (a part of SHA-2), it's what I use for everything I can. 256 will do though 😉

                        BRRABillB 1 Reply Last reply Reply Quote 0
                        • BRRABillB
                          BRRABill @tonyshowoff
                          last edited by

                          @tonyshowoff

                          Is HMAC-SHA1 the same as SHA1?

                          tonyshowoffT 1 Reply Last reply Reply Quote 0
                          • tonyshowoffT
                            tonyshowoff @BRRABill
                            last edited by tonyshowoff

                            @BRRABill No, and it's more secure than SHA-1, so long as the key is safe. The SHA1 part of HMAC-SHA1 refers to how it's calculated.

                            BRRABillB 1 Reply Last reply Reply Quote 0
                            • BRRABillB
                              BRRABill @tonyshowoff
                              last edited by

                              @tonyshowoff said in Obsolete Cipher Suite Message:

                              @BRRABill No, and it's more secure than SHA-1, so long as the key is safe.

                              The reason I asked because https://www.microsoft.com (for example) is using HMAC-SHA1.

                              Hence why I said it isn't a SHA-1 issue causing this, at least on that site, and others.

                              Or am I mistaken there?

                              tonyshowoffT 1 Reply Last reply Reply Quote 0
                              • tonyshowoffT
                                tonyshowoff @BRRABill
                                last edited by

                                @BRRABill said in Obsolete Cipher Suite Message:

                                @tonyshowoff said in Obsolete Cipher Suite Message:

                                @BRRABill No, and it's more secure than SHA-1, so long as the key is safe.

                                The reason I asked because https://www.microsoft.com (for example) is using HMAC-SHA1.

                                Hence why I said it isn't a SHA-1 issue causing this, at least on that site, and others.

                                Or am I mistaken there?

                                In this case there really is no difference as confusing as that is, but I don't see SHA-1 there, instead SHA-2 (256)

                                BRRABillB 1 Reply Last reply Reply Quote 0
                                • BRRABillB
                                  BRRABill @tonyshowoff
                                  last edited by

                                  @tonyshowoff said

                                  In this case there really is no difference as confusing as that is, but I don't see SHA-1 there, instead SHA-2 (256)

                                  This is what I am seeing...

                                  0_1461725685350_hmac-sha1.png

                                  tonyshowoffT 1 Reply Last reply Reply Quote 0
                                  • tonyshowoffT
                                    tonyshowoff @BRRABill
                                    last edited by

                                    @BRRABill said in Obsolete Cipher Suite Message:

                                    @tonyshowoff said

                                    In this case there really is no difference as confusing as that is, but I don't see SHA-1 there, instead SHA-2 (256)

                                    This is what I am seeing...

                                    0_1461725685350_hmac-sha1.png

                                    That's SHA-2 (TLS 1.2 uses this), message authentication is a different aspect of it, in the simplest terms, it's to avoid corrupt messages.

                                    1 Reply Last reply Reply Quote 0
                                    • BRRABillB
                                      BRRABill
                                      last edited by

                                      So in my original post, what is Chrome having an issue with?

                                      tonyshowoffT 1 Reply Last reply Reply Quote 0
                                      • tonyshowoffT
                                        tonyshowoff @BRRABill
                                        last edited by tonyshowoff

                                        @BRRABill said in Obsolete Cipher Suite Message:

                                        So in my original post, what is Chrome having an issue with?

                                        In TLS 1.2 if it's not using the ECDHE with GCM it is obsolete according to Chrome. If the signature, however, uses SHA-1, Chrome I don't even think will just accept it without going red or whatever. I think that's where some confusion comes from, the cipher of the protocol itself versus the signature of the certificate.

                                        1 Reply Last reply Reply Quote 0
                                        • BRRABillB
                                          BRRABill
                                          last edited by

                                          So the net net here is that it is probably OK, but should be upgraded if possible?

                                          tonyshowoffT 1 Reply Last reply Reply Quote 0
                                          • tonyshowoffT
                                            tonyshowoff @BRRABill
                                            last edited by

                                            @BRRABill Yes

                                            1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 1 / 2
                                            • First post
                                              Last post