Recent versions of Chrome will show a warning if you try to browse to a site tha... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

pfg on Feb 23, 2017 | parent | context | favorite | on: Announcing the first SHA-1 collision

Recent versions of Chrome will show a warning if you try to browse to a site that uses a SHA-1 certificate. Mozilla is doing the same thing as of Firefox 51, but they're enabling this gradually to measure impact. Microsoft has an update ready to disable SHA-1 support in their browsers - I think it was delayed a few days ago due to some issues (not sure if they were related to disabling SHA-1).

You can use [1] to test how your browser behaves.

Technically, the sites cannot be said to be vulnerable because of their SHA-1 usage. Rather, continuing issuance of SHA-1 certificates by publicly-trusted CAs increases the risk that someone obtains a certificate that collides with a certificate for a different domain or for a certificate that could be used to sign other certificates for sites the attacker does not own. [2] does a good job of explaining this. The mitigation for this is to use a browser that disables (or warns about) SHA-1 certificates. Publicly-trusted CAs are also not supposed to continue issuing these certificates, but there have been quite a number of cases where they did so anyway - most notably WoSign.

Of course, a site might use SHA-1 for other things behind the scenes. There's really no way to detect that in general.

[1]: https://sha1-2017.badssl.com/

[2]: https://news.ycombinator.com/item?id=13715717

jwilk on Feb 23, 2017 | [–]

> https://sha1-2017.badssl.com/

This certificate has expired, so it's not that useful for testing.

Lord_Yoda on Feb 23, 2017 | [–]

Thanks!

Consider applying for YC's Spring batch! Applications are open till Feb 11.
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact