NIST continues using SHA-1 algorithm after banning it

The National Institute of Standards and Technology (NIST) is still using SSL certificates signed with the SHA-1 signature algorithm, despite issuing a Special Publication disallowing the use of this algorithm for digital signature generation after 2013.

"SHA-1 shall not be used for digital signature generation after December 31, 2013."
— NIST recommendation

The SSL certificate for www.nist.gov is signed using the SHA-1 hashing algorithm, and was issued by VeriSign on 23 January 2014, more than three weeks after NIST's own ban came into effect. Also issued this year, NIST's "Secure File Transfer Service" at xnfiles.nist.gov uses a SHA-1 certificate.

An attacker able to find SHA-1 collisions could carefully construct a pair of certificates with colliding SHA-1 hashes: one a conventional certificate to be signed by a trusted CA, the other a sub-CA certificate able to be used to sign arbitrary SSL certificates. By substituting the signature from the CA-signed certificate into the sub-CA certificate, certificate chains containing the attacker-controlled sub-CA certificate will pass browser verification checks. This attack is, however, made more difficult by path constraints and the inclusion of unpredictable data into the certificate before signing it.

The increasing practicality of finding SHA-1 hash collisions could make it possible for a well-funded attacker to impersonate any HTTPS website. With a practical attack against SHA-1 (using cloud computing resources) estimated to cost $2.77M in 2012, falling to $700k by 2015, it may attract government agencies.

The SSL certificate for www.nist.gov with the signature algorithm and issuance date highlighted.

Along with NIST itself, many US Government institutions have continued to generate new SSL certificates with SHA-1 signatures. Examples include the certificate for donogc.navy.mil, issued on 3 January 2014, and several United States Bankruptcy Court document filing systems (each state has its own site and uses its own SHA-1-signed SSL certificate). Despite receiving widespread criticism for a number of other security problems last year, the ObamaCare exchange at healthcare.gov also saw fit to deploy a new SSL certificate in January which uses the SHA-1 hashing algorithm.

NIST and the rest of the US government are far from alone, however, as more than 92% of all certificates issued this year use the SHA-1 hashing algorithm.

Although the recommendations from the National Institute of Standards and Technology have been prepared for US federal agencies, the cryptographic weaknesses of SHA-1 should concern anyone who relies on SHA-1 to generate or validate digital signatures. Microsoft shares these concerns and has announced plans to deprecate the use of SHA-1 in both SSL and code signing certificates by the end of 2016.

The NSA-designed SHA-2 family (which includes SHA-224, SHA-256, SHA-384 and SHA-512) now provides the only cryptographic hash functions approved by NIST for digital signature generation. Whilst SHA-2 shares some similarities with SHA-1, there are significant structural differences: SHA-2 does not share the SHA-1's mathematical weakness. All of the SHA-2 algorithms have much longer digests: SHA-1 only produces a 160-bit digest, whereas the most common digest length for SHA-2 is 256-bits.


Huge divide: SHA-256 uptake remains low, and is still only used by a handful of certificate authorities.
Other signature algorithms with negligible shares (e.g. MD5 and SHA-512) are not displayed.

In total, more than 98% of all SSL certificates in use on the Web are still using SHA-1 signatures. Netcraft's February 2014 SSL Survey found more than 256,000 of these certificates would otherwise be valid beyond the start of 2017 and, due to the planned deprecation of SHA-1, will need to be replaced before their natural expiry dates.

SHA-256 is the most commonly used signature algorithm from the SHA-2 family, but it is used by only 1.86% of the valid certificates in Netcraft's February 2014 SSL Survey; nonetheless, this share has more than doubled in the space of 4 months, suggesting that some certificate authorities are starting to take the issue seriously. So far in 2014, more than 61% of the new certificates signed with SHA-256 were issued by a single certificate authority, Go Daddy. SHA-512 is the only other SHA-2 family algorithm to be seen used in SSL certificates, albeit deployed on only 4 websites so far.

The CA/B Forum – which comprises of both certificate authorities and web browser vendors – put forward Ballot 111 last year, which motions to take advantage of the deprecation of SHA-1 by accelerating the forum's planned move to shorter maximum certificate lifetimes. The deprecation alone will mean that some five-year certificates that are valid today will not be usable for their entire lifetime.

In practice, it is likely to be Microsoft's plans to deprecate the use of SHA-1 signatures by the end of 2016 which will force the mass adoption of SHA-2 by certificate authorities, although allowing three years for this to happen might seem generous. The majority of end users are unlikely to be affected by the change, and most website administrators will probably have to renew their SSL certificates within this period anyway, but certificates which are reissued with SHA-1 signatures run the risk of being unsupported by other browsers in the future.

Cryptographic weaknesses in SHA-1 have been discussed for several years. A notable better-than-brute-force attack was announced nine years ago, demonstrating a SHA-1 hash collision that could be achieved within 269 calculations, as opposed to the 280 that would be required by a brute-force approach.

More recently, the best public cryptanalysis of SHA-1 estimated that a full collision can be achieved with a complexity of around 261, while a near-collision can be achieved in 257.5. These attacks have been implemented in the HashClash framework, which provides differential path construction attacks against SHA-1, as well as chosen prefix collisions against the even-weaker MD5 algorithm. The CA/B Forum recommends that all certificate serial numbers should exhibit at least 20 bits of entropy, which would mitigate chosen-prefix collision attacks for non collision resistant hash functions, although such measures are not thought to be necessary for SHA-2 at the current time.

Windows XP has supported SHA-256, SHA-384 and SHA-512 since the release of Service Pack 3 in 2008, and Windows Server 2003 can also support SHA-2 if the KB938397 hotfix has been installed. Deprecating SHA-1 could therefore also have some other indirect security benefits: anyone still using Windows XP before Service Pack 3 will be unable to make effective use of the web as SHA-2 certificates gain prominence.

The SHA-1 algorithm is also used in all versions of the TLS cryptographic protocol, and only the latest version (TLS 1.2) introduces SHA-256 as a replacement for the MD5/SHA-1 combination for both the pseudorandom function and the finished message hash. Microsoft's SHA-1 deprecation policy will only apply to applications which call the CertGetCertificateChain API to build and validate a certificate chain, so older browsers and hardware devices which do not yet support TLS 1.2 will be unaffected.

Update 5 Feb 2014: Following the publication of this article, NIST today replaced the SHA-1 certificate on www.nist.gov with a new one which uses SHA-256 as a signature algorithm. At the time of writing, the certificate used by xnfiles.nist.gov is still signed with SHA-1.

Deluge of Browser Security Issues Drives Mass Migration

Netcraft has observed a surge in popularity of the Lynx browser, particularly since the recent Pwn2Own competition, which was held at the CanSecWest conference in Vancouver last month. During the course of the competition, security researchers once again exposed fresh vulnerabilities in Internet Explorer, Firefox and Safari.

Financial institutions have noted that the Lynx browser is particularly suitable for online banking, as it supports the latest cryptographic ciphers used in ecommerce, and is immune to attacks via JavaScript, Flash and other multimedia content. Lynx's algorithms for dealing with such threats are so comprehensive, it is just as safe as if the multimedia content was not there.

mountebankshare.png
User Agent share at FNB Oki Koki

April Erste, Public Relations Manager at the First National Bank of Oki Koki, told Netcraft that users are migrating to Lynx because of its speed and advanced security features. She added: "Lynx has not once suffered a buffer overflow in its image processing, and indeed has suffered no security vulnerabilities at all in the last 2 years." By comparison, the most recent Firefox security update was only 4 days ago.

The bank also notes that Telnet remains popular with a small group of its customers. Although it lacks the sophisticated user interface of Lynx, many security experts argue that Telnet is significantly more secure and has the largest installed base of any browser.

Erste said that while the bank is dedicated to providing an accessible online banking experience, some customers still report difficulties when trying to make HTTPS requests through Telnet without the aid of an extended keyboard layout.

Telnet online banking
A customer navigates the bank's online portal using Telnet

One factor that has held back wider adoption of Lynx is its lack of protection against phishing. As with other web browsers, it can be difficult to tell a genuine bank website from a well-constructed lookalike. To bolster Lynx's growing footprint in the browser market, Netcraft has released the Netcraft Toolbar for Lynx. This free add-on blends in at the top of every web page, and not only protects Lynx users against phishing attacks, but the beautiful text-based rendition of the Netcraft logo is sure to brighten anyone's day.

Netcraft Toolbar for Lynx

www.microsoft.com Completes Move to Microsoft-IIS/7.5

Microsoft is now running Microsoft-IIS/7.5 on its main website www.microsoft.com. IIS 7.5 is part of Windows Server 2008 R2, which is currently in beta testing.

The changeover appears to have started around the 8th January, when www.microsoft.com began responding sometimes with Microsoft-IIS/7.5, but with many requests still being served by 7.0. Now the transition appears to be complete, with all requests now being handled by version 7.5.

Microsoft has consistently upgraded www.microsoft.com to new versions of its web server platform ahead of their actual release, as a demonstration of confidence in new versions. It upgraded to the original Windows Server 2008 in June 2007, 8 months before that operating system's finished release in February 2008. www.microsoft.com is one of the very first sites to use Microsoft-IIS/7.5; Netcraft sees only 28 websites running Microsoft-IIS/7.5 in the February web server survey, of which the only significant sites were at Microsoft.

Continue reading

TRUSTe “Verified by haxors”

A vulnerability in the TRUSTe seal verification service was demonstrated last week, showing how the service could have been exploited to make it look as though an unauthorised site had a valid TRUSTe seal.

truste-xss-resized.png

A security researcher using the pseudonym "Antani Tapioco" discovered the problem, which stemmed from insufficient input validation on the TRUSTe seal validation page. Netcraft has reported the problem to TRUSTe and it has since been fixed.

Tapioco demonstrated how JavaScript could be injected into the page, causing a popup dialog box to display the message "Verified by haxors, LOL". Tapioco was further critical of the ease at which the flaw was found, saying that companies should spend money on code reviews and penetration tests to discover such problems before they become an issue.

truste-verified-dialog.png

Tapioco was able to execute JavaScript on the page by injecting an img tag with an invalid src parameter. The JavaScript payload, specified in the onerror handler, was then subsequently executed. This kind of vulnerability on a page like this has the potential to be very harmful - being able to inject arbitrary JavaScript can allow attackers to remove all existing content from the page and replace it with their own content.

Google Draws Fire Over Blogspot Spam Blogs

The explosion of spam blogs on Google's Blogspot hosting service is drawing a chorus of condemnation from prominent bloggers, and has led at least one blog search service to stop indexing posts on Blogspot. The growth of spam blogs has accelerated in recent months, fueled by automated tools that can create blogs on Blogspot and some similar services and populate them with keyword-optimized posts and Google AdSense advertisements.

About 39,000 fake blogs have been created on the web in the past two weeks, according to an analysis by Technorati, or about 4.6 percent of the 805,000 new weblogs created in that period. FightSplog, which has been monitoring new blogs at Blogspot, recently documented 2,763 porn splogs created by a single "splogger." Blogspot-based spam blogs recently began featuring names of prominent bloggers in posts, boosting the splogs' visibility in searches at web-based RSS aggregators like Feedster, PubSub and Bloglines.

The move prompted IceRocket to stop indexing new posts from Blogspot.com, according to a blunt post from Mark Cuban, a major investor in IceRocket. Cuban says Blogspot indexing will resume once filters are adjusted, but warned Google to fix the problem or face a permanent ban. Bloggers are also focusing their fire on Google, which has stepped up its splog-squashing efforts in recent weeks but still can't keep pace with the automated instasplogs. "If your motto truly is to do no evil, then you need to start putting some resources behind an effort to curb this train wreck," LockerGnome's Chris Pirillo advised Google.

Continue reading

www.georgewbush.com switches to self-hosted FreeBSD server, www.sun.com upgrades to Solaris 9, not 10

After www.georgewbush.com stepped away from the Akamai content management service on Nov 24, the site enjoyed a short-lived stay on a Windows 2000 server running Microsoft-IIS/5.0, hosted by the Republican National Committee. By Nov 30, the site had been moved to a FreeBSD server running Apache at BUSHCHENEY2004-65-172-163-128-255.

While response times have been improved since moving to FreeBSD, www.georgewbush.com is simply redirecting visitors to the Republican National Committee web site at www.gop.com; however, making an HTTP 1.0 request to www.georgewbush.com causes it to serve the "Test Page for Apache Installation" instead of instructing the browser to redirect to www.gop.com.

p-30464.0.png

p-30464.4.png

www.georgewbush.com continues to block access based on geographical location. A dynamically updating chart of site performance for www.georgewbush.com is available here

Another notable change was observed on Sun Microsystems’ web site at www.sun.com, which was upgraded from Solaris 8 to Solaris 9 on Nov 30. Sun's tardy approach to running the latest version of Solaris on www.sun.com - Solaris 10 was recently released - is in sharp contrast to Microsoft, who ran www.microsoft.com on Windows 2003 for months ahead of its launch.