[openssl-users] Rejecting SHA-1 certificates

Niklas Keller me at kelunik.com
Mon Jul 10 18:19:11 UTC 2017

2017-07-10 19:30 GMT+02:00 Michael Wojcik <Michael.Wojcik at microfocus.com>:

> > From: openssl-users [mailto:openssl-users-bounces at openssl.org] On
> Behalf Of Niklas Keller
> > Sent: Monday, July 10, 2017 11:12
> > To: openssl-users at openssl.org
> > Subject: Re: [openssl-users] Rejecting SHA-1 certificates
> > It's very well worth the effort, otherwise there's a security issue,
> because certificates can be forged.
> Care to demonstrate that?

I'm not sure how feasible that is for either SHA1 or MD5.

> The SHAttered attack demonstrated an SHA1 collision using 1) an enormous
> amount of resources and 2) a file format with plenty of scope for
> manipulating the preimages. I'm not aware of any public demonstration
> showing anything close to a practical way of forging an X.509 certificate
> with an SHA1-based signature. Certificates have far less scope for
> manipulating the preimage.
> It's always been possible to forge certificates. Generally that's been
> done by stealing the signing key from  a poorly-secured CA. The new
> marginal feasibility of producing SHA1 collisions does not significantly
> increase the forgery risk for X.509 certificates at present, since it's
> probably still too difficult - perhaps not even possible for any useful
> forgery (if the forged certificate had to carry a suspect amount of
> unexpected data, for example) - and certainly far too expensive to justify
> the vast majority of potential attacks.

Probably true, yes.

> A security vulnerability is meaningless outside the context of a threat
> model. Forging certificates with SHA1-based signatures is a very minor
> branch of the attack tree for nearly all certificate holders. CAs and
> browser vendors are getting rid of SHA1-based signatures now because the
> cost of being proactive is very small, and attacks only get better. That
> doesn't mean immediately screening out all SHA1-based certificates is
> justified under sensible threat models.
> What's your threat model, and how does it justify this effort?

The same as for browsers I guess. Could you explain why browsers and Java
disable SHA1, but it's not worth for me doing so?

Regards, Niklas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20170710/330ed93b/attachment-0001.html>

More information about the openssl-users mailing list