15 comments

[ 5.4 ms ] story [ 82.0 ms ] thread
It's about time. Here's what NIST said in 2006:

"NIST encourages a rapid adoption of the SHA-2 hash functions for digital signatures, and, in any event, Federal agencies must stop relying on digital signatures that are generated using SHA-1 by the end of 2010."

... after seeking approval from the NSA.
It is nice and all that Microsoft is pushing TLS 1.2 and AES-GCM, but they still don't have support in schannel (used by IIS and IE??) for ECDHE_RSA_AES_GCM cipher suites.
Or any AES-GCM RSA cipher suites for that matter. I complained to Marsh Ray of MS about this.
Your request has not been forgotten :-)

But it might be really helpful if you were to explain a specific customer scenario where the security would be meaningfully increased by adding support for this particular cipher suite. I might be able to come up with something, but it would mean more coming from a customer.

Are any other major OSs using SHA1?
Internet Explorer is the first browser to implement SSL/TLS 1.2? What about Firefox and Chrome - anyone know their status?
I think they mean that they're the first to retire the cipher suits, not the first who implemented TLS1.2.

Quote from here: http://en.wikipedia.org/wiki/Transport_Layer_Security#Dealin...

  Chrome 30 and Opera 17 support TLS 1.1 and 1.2 enabled by default. Firefox 25 and 24
  ESR, and Internet Explorer 6-10 have support for TLS 1.1 and 1.2 but disabled by default
  (Firefox 28 Nightly and IE 11 supports TLS 1.1 and 1.2 enabled by default).
  Safari 6 for Mac OS X 10.8 and 10.7, and Safari 5 for Windows and support only
  TLS 1.0 (Safari for iOS, and Safari 7 for Mac OS X 10.9 support TLS 1.1 and 1.2
  enabled by default).
I just made a correction to the part on Internet Explorer on Wikipedia.
I think Opera was the first browser to do so, but Windows SChannel implemented it in the original Win7 RTM release so was not far behind.
They said IE11 is the first to make TLS 1.2 default. And it is apparently true.

  Microsoft officials went on to recommend that customers 
  stop using SHA1 now and begin using certificates based on 
  SHA2, which is much more resistant to collision attacks.
If SHA1 is broken at the algorithm level, one must _not_ use SHA2, which is the just a bigger SHA1.
"Just bigger" can buy 10-20 more years. The details do matter.
git uses sha1 for ... everything. git's cryptography guarantees is based on signing sha1 commit ids. Perhaps it's time to move on?