back to article Microsoft plans St Valentine's Day massacre for SHA‑1

The death knell for the SHA‑1 cryptographic hash function will echo around the web now that all the main browser builders have decided to cut off support – only 12 years after its flaws were first discovered. On Friday, Mozilla and Microsoft both announced that support for SHA‑1 in HTTPS certificates would be dropped – Moz …

  1. Brian Miller Silver badge

    All together, now!

    Fuego!

    There are so many things that hang around for years, until they are finally put to "rest."

    Now, if only the IoT could get its act together on this, as well...

    1. a_yank_lurker Silver badge

      Re: All together, now!

      Can we get rid of Flash at the same time?

      1. Nick Ryan Silver badge

        Re: All together, now!

        Can we get rid of Flash at the same time?

        ...and Silverlight as well. Same unnecessary rubbish, same problems, similarly unwanted.

        However silverlight is still a "recommended" update for making a server less secure... To add to the non-joined up stupiditity should you click on an error link on a Windows server OS it will take you to the MS website which will then fail because JavaScript and Silverlight are not installed/enabled on a server's browser. Yes, we shouldn't really be using a server in this way but it happens...

    2. redpawn Silver badge

      Re: All together, now!

      IoT is getting its act together just like Microsoft. I see reform any decade now.

  2. Ilsa Loving

    Fart in a space suit

    "SHA-1 will still hang around, like a fart in a spacesuit,"

    It's quality writing like this that always brings me back to El Reg. Although the coworkers around me that jumped at my bark of laughter might disagree.

    1. Anonymous Coward
      Anonymous Coward

      Re: Fart in a space suit

      I thought it was supposed to be a Volkswagen, not a space suit. Still, I suppose that's an emissions scandal of an altogether different order.

    2. Anonymous Coward
      Anonymous Coward

      Re: Fart in a space suit

      "SHA-1 will still hang around, like a fart in a spacesuit,"

      Creative imagery, but definitely didn't originate here.

  3. -tim
    Meh

    It won't be gone for decades...

    There are hundreds of millions of computers out there that aren't running modern operating systems or browsers simply because their users see the machines as functional as they are now and have no reason to upgrade. My web server logs are showing plenty of windows XP and old PowerPC macs that hit our site and the people who hit our site most likely have the money to upgrade. There is also a growing number of old non-upgradable Android and iPhones that are hitting the site which seems odd but I expect that it is a result that when the device was new, it wasn't the owners primary surfing device. Now that the old phone or old PC has been handed down, it is the only surfing device owned by the new user.

    1. HmmmYes

      Re: It won't be gone for decades...

      You been in my room of shit crap that I cannot throw away because ... of stuff.

    2. MrZoolook
      Windows

      Re: It won't be gone for decades...

      Just a small aside regarding mobile device figures.

      I for one set my tablets User Agent to a 5 year previous string. I do this even on my newest and sparkliest of devices. If I don't, every website I visit comprises 1k of content, and insists on sending 20 fucking megabytes of flash adverts. And even IF I can be bothered to wait for it all to be rendered, the lag those adverts cause simply by being displayed after downloading is barely tolerable.

      This, sadly, appears to be a universal constant. And while I'm not suggesting your own web server is guilty, it's unlikely that users in my particular mindset (meaning, they prefer content over irrelevant advertising) will reset their UA to access your server.

      Short version: Your logs only list the UA of accessing devices, which might not represent the ACTUAL device used.

      1. MacroRodent Silver badge

        Re: It won't be gone for decades...

        I for one set my tablets User Agent to a 5 year previous string. [...] Short version: Your logs only list the UA of accessing devices, which might not represent the ACTUAL device used.

        People like you probably represent about 0.001% of the users. Most people don't even know what the user agent string is, so collecting statistic based on it is reliable enough.

  4. lglethal Silver badge
    Trollface

    " and now it's time to find the laggards and get them fixed."

    Pass me my Cluebat! It's time to go fix some Laggards!

    (the word laggard is really not used often enough in the English language. It's such a brilliant word. I really should try and slip it into conversation with my German colleagues. ;) )

  5. HmmmYes

    Buy Intel stock!

    There's finally going to be a massive hardware update cycle.

    Or people install Linux Mint on the old PCs.

    1. Aladdin Sane Silver badge

      Linux Mint

      The year of the Linux desktop cometh.

  6. jms222

    SHA-0

    SHA-0 was removed from OpenSSL not that many months ago.

  7. gBone

    KVM switches

    I don't mind warnings, but when I press "I know this is insecure" it must continue to work. I have old ethernet KVM switches that insist on using it, for which firmware upgrades are not available. If they do not allow you to bypass the warnings then I will need to keep old browsers (or a VM copy of XP?) just for remote access to machines?

  8. Nick Ryan Silver badge

    IIS certificate request management

    Perhaps Microsoft would like to assist many web site managers and to support the generation of certificate requests within IIS using something other than SHA-1.

    While certificates can be requested using the certificate manager MMC plugin, IIS offers a far simpler service for the relatively narrow requirements of https certificates that is less prone to mistakes - either change it to support something other than SHA-1 or remove it altogether.

  9. MrZoolook
    FAIL

    Insert rant here!

    Oh, damn. I was about to comment on the irony of Microsoft, those stalwart overseers of Internet security, being responsible for the global average decline in secure use of the Internet, thanks largely because of its Internet Exploder browser.

    But the headline and e-mail flier imply the fact that nobody other then them still use that shit, an implication clearly incorrect in the article!

    Dammit, El Reg, you got me!

  10. Anonymous Coward
    Anonymous Coward

    Quis custodiet ipsos custodes?

    No one bothers about a MIM in the certificate chain, I presume.

    I see someone has been naive enough to believe M$. Quickie for anyone to test on one's own:

    1. Open M$.com via https

    2. Dig into the certificate details

    3. Check the very top of the certificate chain

    The top certificate is issued to, quote: "VeriSign Class 3 Public Primary Certification Authority - G5". It is issued in 2006, i.e. a year after the SHA-1 was already pronounced less secure than anticipated. Which hasn't prevented VeriSign from keeping it around, and signing their root (!) certficate with SHA-1. Neither has prevented my browser from trusting it. It happily reports "The connection to this site is encrypted and authenticated using a strong protocol (TLS 1.2), a strong key exchange (ECDHE_RSA), and a strong cipher (AES_256_GCM)", end of the quote.

    The certificate is to hang around for a little while, namely till 17 ‎July ‎2036 0:59:59. How big a botnet would be needed 20 years in the future to tweak a false signature, and to create bogus intermediate certificates? One, maybe up to two desktops?

    1. Anonymous Coward
      Anonymous Coward

      Re: Quis custodiet ipsos custodes?

      You've tried to do that, right? Create a valid bogus intermediate cert, that's apparently signed by the Verisign root cert?

      Let us know how you get on with both your desktops working on it ...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020