[OWASP-South Africa] SHA1

Brett Russell brettr at paycorp.co.za
Mon Oct 13 14:28:19 UTC 2014


Hi Tim,

I agree, partially. If you are the only one using the certificate, or you have a closed list of users, use a self-signed cert or even better, create a PKI internal infrastructure and distribute the Root cert so machines trust your cert and you can issue your own certs. We do that and it works well. All our internal sites use our certs, which are free and very secure. Windows server makes it pretty easy to create your own Active Directory trusted CA, it's kind of built in to the server. You can even extend it for 2 factor authentication, which is what we did.

If you are going public, buy a trusted certificate, preferably an EV cert as they have better revocation and security checks built in. For example, someone browsing a site with an EV cert that has data compression from a third party (a bad idea in my opinion), can be declined by the certificate (http://en.wikipedia.org/wiki/Extended_Validation_Certificate). I do not like to see security issues appear in the browser that has to be accepted or ignored by the user, as it goes against the training that I and others give users on how to recognise a secure connection in a browser. I like the StartSSL certs as well, so if cost is an issue, get one for free, but it is only valid for a year (and then you must renew it for free) and only allows a single SAN (Subject Address Name). If that's not an issue, then this is a good option. 

Kind regards,
Brett





-----Original Message-----
From: owasp-southafrica-bounces at lists.owasp.org [mailto:owasp-southafrica-bounces at lists.owasp.org] On Behalf Of timogoosen
Sent: 11 October 2014 04:40 PM
To: owasp-southafrica at lists.owasp.org
Subject: Re: [OWASP-South Africa] SHA1

Don't buy a certificate, you can use a self signed cert if it is only for youself.  There is nothing about self signed certificates that make them insecure if they are generated correctly and if your server is setup properly and not running on some virtualized crap.  The only part about self signed certs that people don't like is that you will get a warning in your browser that says that it doesn't recognize the Certificate Authority.  If only you are using it and you know the identity of your own certificate then a self signed cert is fine.

Watch this video: https://www.youtube.com/watch?v=fwcl17Q0bpk
"NSA operation ORCHESTRA: Annual Status Report"
At some point he talks about the stupid thinking related to certificate authorities. Not sure if you guys know this but verisign who accounts for a great deal of SSL certificates being sold on the internet also sell "Lawful Interception Services", if you don't believe me , look on their site with archive.org they used to have some info on their website about their "lawful interception services."

Also besides that you can use Startssl, they give free SSL certificates for free for a year. After that you can buy one from gandi.net, they have good prices.

Interesting article which is somewhat related: libressl+ nginx on Linux.
https://www.mare-system.de/blog/page/1405201517/

Another interesting link related to using libressl:
https://unix.stackexchange.com/questions/144573/is-it-too-early-to-try-libressl




On 10/08/2014 07:41 PM, Wellington Mekhoe wrote:
> Thanks for the feedback.
> 
> So you would recommend that we still buy SHA1 certificates that would 
> expire end 2015 or move directly to SHA256?  The reason I'm asking is 
> that my friends and I wanted to buy a certificate for some free and 
> open source development work after hours.
> 
> On Wed, Oct 8, 2014 at 6:54 PM, Brett Russell <brett.russell at owasp.org 
> <mailto:brett.russell at owasp.org>> wrote:
> 
>     Apparently they tried to switch to SHA256 and had to switch back to
>     SHA1 because 5% of their site browsers (mozilla.org
>     <http://mozilla.org>) could not get access to download Firefox?
>     Seems everyone is issuing SHA1 certs to expire at the end of 2015,
>     that's what I recommended at work as well.
> 
>     On Wed, Oct 8, 2014 at 10:03 AM, Wellington Mekhoe
>     <wmekhoe at gmail.com <mailto:wmekhoe at gmail.com>> wrote:
> 
>         Have you heard Mozilla's position on this matter?
> 
>         If I get any news, I will share it with you and the community.
> 
>         On 07 Oct 2014 6:37 AM, "Brett Russell" <brett.russell at owasp.org
>         <mailto:brett.russell at owasp.org>> wrote:
> 
>             My concern is the devices, browsers etc that don't support
>             sha256, especially when in my opinion, the move is not
>             really necessary?
> 
>             On Saturday, October 4, 2014, Wellington Mekhoe
>             <wmekhoe at gmail.com <mailto:wmekhoe at gmail.com>> wrote:
> 
>                 Hi Brett
> 
>                 I think for now most people won't care about the
>                 changes, however as chrome is being used more now for
>                 business use, companies will be forced to upgrade their
>                 certificates.
> 
>                 Kind regards
>                 Wellington Mekhoe
> 
>                 On 26 Sep 2014 9:14 PM, "Brett Russell"
>                 <brett.russell at owasp.org> wrote:
> 
>                     Hi All,
> 
>                     As most of you probably know, Google plans to start
>                     "sunsetting" SHA1 support with some interesting
>                     changes to Chrome:
> 
>                     
> http://googleonlinesecurity.blogspot.com/2014/09/gradually-sunsetting-
> sha-1.html
> 
>                     There have been some interesting responses from the
>                     global security community, what do you have to say
>                     about all this? Is anyone in SA actually going to
>                     care, or upgrade their certificate to cater for this?
> 
>                     Kind Regards,
>                     Brett Russell
>                     OWASP South Africa Chapter Leader
> 
>                     _______________________________________________
>                     OWASP-SouthAfrica mailing list
>                     OWASP-SouthAfrica at lists.owasp.org
>                     
> https://lists.owasp.org/mailman/listinfo/owasp-southafrica
> 
> 
> 
>             --
> 
>             Kind Regards,
>             Brett Russell
>             OWASP South Africa Chapter Leader
> 
> 
> 
> 
>     --
> 
>     Kind Regards,
>     Brett Russell
>     OWASP South Africa Chapter Leader
> 
> 
> 
> 
> _______________________________________________
> OWASP-SouthAfrica mailing list
> OWASP-SouthAfrica at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-southafrica
> 
_______________________________________________
OWASP-SouthAfrica mailing list
OWASP-SouthAfrica at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-southafrica




More information about the OWASP-SouthAfrica mailing list