As problems are arising in some old security algorithms, some of the big tech companies are pushing to get the internet’s infrastructure updated to more trusted security. Microsoft has recently announced that starting in 2016, Windows will no longer support some SSL certificates. Microsoft is giving companies some time to update their certificates. In the latest push by Google to do the same thing, the company has started flagging websites with weak security. Users visiting web sites through the latest version of Google Chrome, will receive a warning regarding the certificate’s security. Websites using weak security will cause the green lock next to the URL to change color to orange.
Google will be checking for the hashing algorithm that is used to generate the fingerprint for the certificate. In layman’s terms, the fingerprint is what allows the browser to know, that the certificate presented by the server is indeed trusted. To do so, some websites present their fingerprint using the SHA-1 algorithm, which has been known to have some problems for some time now. Unlike MD5 who is completely broken, SHA-1 is still usable but the attacks are getting worse. There are about 50 root trusted authorities that all browsers trust by default. By checking the fingerprint the browser can know if the certificate presented by a website has been issued by one of the 50 root authorities. These certificates are the foundation for https and secure communication over the web.
The article praises Google’s move as a step forward to securing the web. The article mentions some reasons as to why Google’s move is a step in the right direction. As the attacks on SHA-1 are getting worse, the ability to forge certificates using SHA-1 is not very expensive, and would cost a little less than $2 million. Hence countries who want to intercept encrypted traffic of their citizens might be able to forge a certificate. I am not completely sold on this. I believe that this is mainly a marketing move by Google and the developers of Google Chrome to make their browser seem more secure. People who do not know anything about security will not care about the color of their https lock. People who do know a little about how the internet works, at first glance might think that this is a good move by Google, and might even switch to Google Chrome. However, when further looking into this issue, it doesn’t seem as a huge problem. Investing $2 million on computer hardware to forge a certificate is a little unfeasible. Furthermore, the attacker needs to get access to one of the peering zones that run the internet backbone. This might be a little more feasible for a foreign government who is trying to monitor its citizens web usage. However, there are other ways for a country to achieve this, without having to spend the $2 million to forge SSL certificates. Furthermore, small hacker groups trying to intercept SSL traffic will definitely not spend $2 million in processing power. They will find other ways to get the user’s information.
Sources:
http://blog.ivanristic.com/2014/09/sha1-deprecation-what-you-need-to-know.html
No comments:
Post a Comment