[OWASP-South Africa] SHA1

timogoosen timogoosen at runbox.com
Sat Oct 11 14:40:20 UTC 2014


Don't buy a certificate, you can use a self signed cert if it is only
for youself.  There is nothing about self signed certificates that make
them insecure if they are generated correctly and if your server is
setup properly and not running on some virtualized crap.  The only part
about self signed certs that people don't like is that you will get a
warning in your browser that says that it doesn't recognize the
Certificate Authority.  If only you are using it and you know the
identity of your own certificate then a self signed cert is fine.

Watch this video: https://www.youtube.com/watch?v=fwcl17Q0bpk
"NSA operation ORCHESTRA: Annual Status Report"
At some point he talks about the stupid thinking related to certificate
authorities. Not sure if you guys know this but verisign who accounts
for a great deal of SSL certificates being sold on the internet also
sell "Lawful Interception Services", if you don't believe me , look on
their site with archive.org they used to have some info on their website
about their "lawful interception services."

Also besides that you can use Startssl, they give free SSL certificates
for free for a year. After that you can buy one from gandi.net, they
have good prices.

Interesting article which is somewhat related: libressl+ nginx on Linux.
https://www.mare-system.de/blog/page/1405201517/

Another interesting link related to using libressl:
https://unix.stackexchange.com/questions/144573/is-it-too-early-to-try-libressl




On 10/08/2014 07:41 PM, Wellington Mekhoe wrote:
> Thanks for the feedback.
> 
> So you would recommend that we still buy SHA1 certificates that would
> expire end 2015 or move directly to SHA256?  The reason I'm asking is
> that my friends and I wanted to buy a certificate for some free and open
> source development work after hours.
> 
> On Wed, Oct 8, 2014 at 6:54 PM, Brett Russell <brett.russell at owasp.org
> <mailto:brett.russell at owasp.org>> wrote:
> 
>     Apparently they tried to switch to SHA256 and had to switch back to
>     SHA1 because 5% of their site browsers (mozilla.org
>     <http://mozilla.org>) could not get access to download Firefox?
>     Seems everyone is issuing SHA1 certs to expire at the end of 2015,
>     that's what I recommended at work as well.
> 
>     On Wed, Oct 8, 2014 at 10:03 AM, Wellington Mekhoe
>     <wmekhoe at gmail.com <mailto:wmekhoe at gmail.com>> wrote:
> 
>         Have you heard Mozilla's position on this matter?
> 
>         If I get any news, I will share it with you and the community.
> 
>         On 07 Oct 2014 6:37 AM, "Brett Russell" <brett.russell at owasp.org
>         <mailto:brett.russell at owasp.org>> wrote:
> 
>             My concern is the devices, browsers etc that don't support
>             sha256, especially when in my opinion, the move is not
>             really necessary?
> 
>             On Saturday, October 4, 2014, Wellington Mekhoe
>             <wmekhoe at gmail.com <mailto:wmekhoe at gmail.com>> wrote:
> 
>                 Hi Brett
> 
>                 I think for now most people won't care about the
>                 changes, however as chrome is being used more now for
>                 business use, companies will be forced to upgrade their
>                 certificates.
> 
>                 Kind regards
>                 Wellington Mekhoe
> 
>                 On 26 Sep 2014 9:14 PM, "Brett Russell"
>                 <brett.russell at owasp.org> wrote:
> 
>                     Hi All,
> 
>                     As most of you probably know, Google plans to start
>                     "sunsetting" SHA1 support with some interesting
>                     changes to Chrome:
> 
>                     http://googleonlinesecurity.blogspot.com/2014/09/gradually-sunsetting-sha-1.html
> 
>                     There have been some interesting responses from the
>                     global security community, what do you have to say
>                     about all this? Is anyone in SA actually going to
>                     care, or upgrade their certificate to cater for this?
> 
>                     Kind Regards,
>                     Brett Russell
>                     OWASP South Africa Chapter Leader
> 
>                     _______________________________________________
>                     OWASP-SouthAfrica mailing list
>                     OWASP-SouthAfrica at lists.owasp.org
>                     https://lists.owasp.org/mailman/listinfo/owasp-southafrica
> 
> 
> 
>             -- 
> 
>             Kind Regards,
>             Brett Russell
>             OWASP South Africa Chapter Leader
> 
> 
> 
> 
>     -- 
> 
>     Kind Regards,
>     Brett Russell
>     OWASP South Africa Chapter Leader
> 
> 
> 
> 
> _______________________________________________
> OWASP-SouthAfrica mailing list
> OWASP-SouthAfrica at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-southafrica
> 


More information about the OWASP-SouthAfrica mailing list