You may have missed it unless you are interested in digital certifications and SSL, but the problem of SHA-1 certificate deprecation is something that we’re all going to have to pay some attention to.
Here’s what you need to know.
Modern CPUs and computing environments are becoming so powerful that older security protocols are starting to be vulnerable to “brute force” attack methods that allow them to be broken. This is what is happening with the SHA-1 hash algorithm. Having to phase out security protocols that are no longer effective is nothing new and goes back as long as we’ve had technology and cryptography. Even back in World War II one of the key advantages that the Allies held over Axis nations were capabilities to break or compromise their codes and coding methods. (My favorite book on the topic is fictional, but based on the facts, and a lot of fun to boot – Cryptonomicon by Neal Stephenson. No technology background required to enjoy the book)
If you’ve been in the industry for a while, you’ll recall that in the early 90’s the most common encryption algorithms were 64bit – and that US government restrictions wouldn’t allow export of software with any stronger encryption than that. Presumably that was because the US government wanted the option to do a “brute force” attack on data exchanges at will, and had the capability to do so. Similarly, in the IT security industry you’ll hear occasional rumors of government agencies collecting all encrypted data exchanges that meet certain criteria at key internet junction points – again, presumably with the idea that while you can’t get at the data without years of work to break into the encrypted data set today, in the measurable future you’ll be able to do so at will with hardware and software strengthened by Moore’s Law. That’s what’s happened with SHA-1 certificates. Within a measurably short amount of time, computing environments will have reached the point where SSL sessions based on SHA-1 certificates will be “hackable” while in process.
It’s worth noting that the same thing happened with the older MD5 hash algorithm earlier in this decade with the state-sponsored Flame malware attack that targeted Iran.
SHA-1 – based certificates are commonly used as part of the “chain of trust” to establish an SSL connection. They are one of several certificate types that can be used for this purpose, and one of the most common.
So, the first dimension of the problem is to get the certificates for web sites updated. This will mean that many sites are going to require considerable rework in the relatively near term, and if not fixed in the medium term a serious vulnerability for users. For sites and services designed in that older era, and with budget and resource constraints, this could represent a real problem. Some might even require a complete re-boot / re-write.
Another dimension of the problem is Windows XP clients. XP supports SHA-1, but not newer, more sophisticated algorithms. “Yes” Microsoft has formally ended support for Windows XP, and is no longer providing security updates as of April this year. But this doesn’t mean that all of those millions of Windows XP systems are going away or getting upgraded. As of April this year, 28% of all traffic still originated from Windows XP systems. The fact is that those with limited finances or technical savvy will continue using their XP-based systems until they grind to a complete halt. This leaves them with either (A) insecure connections with the old algorithm or (B) no access to secure sites. It will require organizations to make some choices that could complicate their web application architecture (Do I need to support both the older and the newer algorithms? Will I have to make the browser check for what the base system is before I start a session? How much work is it going to be to do that?)
Regardless of the answer, Google and Microsoft are taking steps to phase out support of the SHA-1 communications security protocol by 2017. In fact, Google will start “warning” people using Chrome 39 (already in Beta and due for release in November) when a site using SHA-1 with a certificate expiring in 2016 is accessed.
Here is a more complete timeline of the phase out:
November 2014 - SHA-1 SSL Certificates expiring any time in 2017 will show a warning in Chrome.
December 2014 - SHA-1 SSL Certificates expiring after June 1, 2016 will show a warning in Chrome.
January 2015 - SHA-1 SSL Certificates expiring any time in 2016 will show a warning in Chrome.
January 1, 2016 - Certificate Authorities must stop issuing new SHA-1 SSL and Code Signing Certificates. Microsoft will stop trusting SHA-1 Code Signing Certificates without time stamps.
January 1, 2017 - Microsoft will stop trusting SHA-1 SSL Certificates
Here’s how the compromise works
SHA is a secure cryptographic hash algorithm designed by the NSA and published by the NIST. There are 4 favors of SHA and they are SHA-0, SHA-1, SHA-2, and SHA-3. SHA-1 produces a 160-bit hash value (or number, if you will) and it is the most widely used algorithm for signing certificates. Internet applications and network communication rely heavy on certificates to establish the secure channel between server and client used in protocols like https. For SHA-1, every message hashes down to a 160-bit number. This puts the odds of two different messages having the same “hash value” at about 1 in 2 to the 80th. The result of this is that the SHA-1 algorithm is vulnerable to a “brute force” attack. Given the advancements in modern CPU computation speeds, one can match the hash value (called finding a collision) in SHA-1 in 2 to the 69thcalculations. The numbers may sound large, but will be within the grasp of readily available computing tools soon enough to compromise secured communications within just a year or two.
Here’s what to take away
- For consumers, this is yet another reason to get off of XP. Although corporate environments will already have migrated with the end of XP support earlier this year (except for special cases like embedded systems), the chances are that by the time this becomes a threat in 2016-18, a measurable number (if small in percentage terms) of users will still be vulnerable
- For web applications and site owners – the risk of keeping old applications and out-of-date sites active rises dramatically if you choose not to update. But you can be sure that some sites will still be on-line with vulnerable software when the risk becomes real. Based on historical patterns, we know that organizations and people are slow to migrate and change.
- The good news is that some of the certificate vendors (Digicert for one) are providing free tools that help ease the transition with methods that work well … as long as you aren’t worried about support for XP-based clients
Hopefully the site problems can be offset by better web-reputation testing at browsers (as Google will release with Chrome in November), and settings to automatically reject vulnerable sites.