Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  nodelist  faq  login

Show night or time may vary in your market.

rocksolid / Security / oh oh, sha1 is broken

o oh oh, sha1 is brokenanon

Subject: oh oh, sha1 is broken
From: anon
Organization: def5
Date: Thu, 9 Jan 2020 09:08 UTC
From: (anon)
Message-ID: <c3ad2db5c416049850b5e945c531b640@def4>
Subject: oh oh, sha1 is broken
Date: Thu, 09 Jan 2020 09:08:28+0000
Organization: def5
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
View all headers


Is SHA-1 really still used?

SHA-1 usage has significantly decreased in the last years; in particular web browsers now reject certificates signed with SHA-1. However, SHA-1 signatures are still supported in a large number of applications. SHA-1 is the default hash function used for certifying PGP keys in the legacy branch of GnuPG, and those signatures were accepted by the modern branch of GnuPG before we reported our results. Many non-web TLS clients also accept SHA-1 certificates, and SHA-1 is still allowed for in-protocol signatures in TLS and SSH. Even if actual usage is low (in the order of 1%), the fact that SHA-1 is allowed threatens the security because a meet-in-the-middle attacker will downgrade the connection to SHA-1. SHA-1 is also the foundation of the GIT versioning system. There are probably a lot of less known or proprietary protocols that still use SHA-1, but this is more difficult to evaluate.


Time to upgrade some libs I guess-

Posted on def4

rocksolid light 0.7.2