2017-07-10 19:30 GMT+02:00 Michael Wojcik <michael.woj...@microfocus.com>:
> > From: openssl-users [mailto:openssl-users-boun...@openssl.org] On > Behalf Of Niklas Keller > > Sent: Monday, July 10, 2017 11:12 > > To: openssl-users@openssl.org > > Subject: Re: [openssl-users] Rejecting SHA-1 certificates > > > > It's very well worth the effort, otherwise there's a security issue, > because certificates can be forged. > > Care to demonstrate that? > I'm not sure how feasible that is for either SHA1 or MD5. > The SHAttered attack demonstrated an SHA1 collision using 1) an enormous > amount of resources and 2) a file format with plenty of scope for > manipulating the preimages. I'm not aware of any public demonstration > showing anything close to a practical way of forging an X.509 certificate > with an SHA1-based signature. Certificates have far less scope for > manipulating the preimage. > > It's always been possible to forge certificates. Generally that's been > done by stealing the signing key from a poorly-secured CA. The new > marginal feasibility of producing SHA1 collisions does not significantly > increase the forgery risk for X.509 certificates at present, since it's > probably still too difficult - perhaps not even possible for any useful > forgery (if the forged certificate had to carry a suspect amount of > unexpected data, for example) - and certainly far too expensive to justify > the vast majority of potential attacks. > Probably true, yes. > A security vulnerability is meaningless outside the context of a threat > model. Forging certificates with SHA1-based signatures is a very minor > branch of the attack tree for nearly all certificate holders. CAs and > browser vendors are getting rid of SHA1-based signatures now because the > cost of being proactive is very small, and attacks only get better. That > doesn't mean immediately screening out all SHA1-based certificates is > justified under sensible threat models. > > What's your threat model, and how does it justify this effort? > The same as for browsers I guess. Could you explain why browsers and Java disable SHA1, but it's not worth for me doing so? Regards, Niklas
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
