On the plus side, with MS finally getting its act together, a whole lot of the Web is going to be a whole lot more secure after Jan 1st.
Microsoft may join Mozilla and retire SHA-1 in 2016
Microsoft has decided to follow Mozilla down the path to better security, bringing forward the end-of-life date for SHA-1 hashing. SHA-1 has long been suspect, but in 2015 the ease and effectiveness of attacks against it have grown to the point where everyone with good sense is making their excuses and leaving the room. …
COMMENTS
-
This post has been deleted by its author
-
-
Thursday 5th November 2015 13:14 GMT Anonymous Coward
Bandwaggon
Reg - you reported this last week (this aint new). And while we will have lots jumping on with M$ bashing (which is usually fair) anyone with some actual experience in this area knows that killing off SHA 1 for all devices is not that easy. In essence there is a huge swathe of OSes (not just M$) that won't be able to do SSL\TLS when this comes in because they have no pathway to support SHA2 (or above). Then there is a huge swathe that can be patched but are not. M$ announced about two years ago their plans for dropping SHA1 and now then have speeded up that process because the situation has changed. Ah well - muppets will bash M$ regardless...
-
Thursday 5th November 2015 14:21 GMT paulej72
Re: Bandwaggon
I have printers that use SHA1 for https to the web configuration interface. I had to download a old version of Pale Moon to access them since both Chrome and FF would not let me access them. And for some of them, I am sure there will be no upgrades to the firmware to support SHA2.
While SHA1 might be hackable, I would rather use it than to send my printer passwords over the net in plain text.
-
-
Thursday 5th November 2015 18:10 GMT Anonymous Coward
False dichotomy?
You make it sound as if the choice is between SHA-1 and plain text... SHA-1 is a hashing algorithm. It's used in the certificate, not for encryption. The certificate was generated by some stupid company you've never heard of. You can't trust the certificate anyway. What you should do is either find out your printer's public key, write it on a Post-it note and check it manually whenever you connect to the printer, or generate your own certificate, using the hashing algorithm of your choice, and configure your browser to use and trust that certificate, which will be a lot more trustworthy than the certificate given out by some stupid company you've never heard of. (In case you're about to ask: no, I've never done that and don't know exactly how to do it. Perhaps I should try it one day just to see if my theoretical understanding of how these things work is roughly in line with how they work in practice.)