[OWASP-South Africa] SHA1

Wellington Mekhoe wmekhoe at gmail.com
Tue Oct 14 07:57:54 UTC 2014


Thanks I will definitely check out the video.
If things with the certificate do not go as planned.  We will probably use
Google AppEngine.


.

On Sat, Oct 11, 2014 at 4:40 PM, timogoosen <timogoosen at runbox.com> wrote:

> Don't buy a certificate, you can use a self signed cert if it is only
> for youself.  There is nothing about self signed certificates that make
> them insecure if they are generated correctly and if your server is
> setup properly and not running on some virtualized crap.  The only part
> about self signed certs that people don't like is that you will get a
> warning in your browser that says that it doesn't recognize the
> Certificate Authority.  If only you are using it and you know the
> identity of your own certificate then a self signed cert is fine.
>
> Watch this video: https://www.youtube.com/watch?v=fwcl17Q0bpk
> "NSA operation ORCHESTRA: Annual Status Report"
> At some point he talks about the stupid thinking related to certificate
> authorities. Not sure if you guys know this but verisign who accounts
> for a great deal of SSL certificates being sold on the internet also
> sell "Lawful Interception Services", if you don't believe me , look on
> their site with archive.org they used to have some info on their website
> about their "lawful interception services."
>
> Also besides that you can use Startssl, they give free SSL certificates
> for free for a year. After that you can buy one from gandi.net, they
> have good prices.
>
> Interesting article which is somewhat related: libressl+ nginx on Linux.
> https://www.mare-system.de/blog/page/1405201517/
>
> Another interesting link related to using libressl:
>
> https://unix.stackexchange.com/questions/144573/is-it-too-early-to-try-libressl
>
>
>
>
> On 10/08/2014 07:41 PM, Wellington Mekhoe wrote:
> > Thanks for the feedback.
> >
> > So you would recommend that we still buy SHA1 certificates that would
> > expire end 2015 or move directly to SHA256?  The reason I'm asking is
> > that my friends and I wanted to buy a certificate for some free and open
> > source development work after hours.
> >
> > On Wed, Oct 8, 2014 at 6:54 PM, Brett Russell <brett.russell at owasp.org
> > <mailto:brett.russell at owasp.org>> wrote:
> >
> >     Apparently they tried to switch to SHA256 and had to switch back to
> >     SHA1 because 5% of their site browsers (mozilla.org
> >     <http://mozilla.org>) could not get access to download Firefox?
> >     Seems everyone is issuing SHA1 certs to expire at the end of 2015,
> >     that's what I recommended at work as well.
> >
> >     On Wed, Oct 8, 2014 at 10:03 AM, Wellington Mekhoe
> >     <wmekhoe at gmail.com <mailto:wmekhoe at gmail.com>> wrote:
> >
> >         Have you heard Mozilla's position on this matter?
> >
> >         If I get any news, I will share it with you and the community.
> >
> >         On 07 Oct 2014 6:37 AM, "Brett Russell" <brett.russell at owasp.org
> >         <mailto:brett.russell at owasp.org>> wrote:
> >
> >             My concern is the devices, browsers etc that don't support
> >             sha256, especially when in my opinion, the move is not
> >             really necessary?
> >
> >             On Saturday, October 4, 2014, Wellington Mekhoe
> >             <wmekhoe at gmail.com <mailto:wmekhoe at gmail.com>> wrote:
> >
> >                 Hi Brett
> >
> >                 I think for now most people won't care about the
> >                 changes, however as chrome is being used more now for
> >                 business use, companies will be forced to upgrade their
> >                 certificates.
> >
> >                 Kind regards
> >                 Wellington Mekhoe
> >
> >                 On 26 Sep 2014 9:14 PM, "Brett Russell"
> >                 <brett.russell at owasp.org> wrote:
> >
> >                     Hi All,
> >
> >                     As most of you probably know, Google plans to start
> >                     "sunsetting" SHA1 support with some interesting
> >                     changes to Chrome:
> >
> >
> http://googleonlinesecurity.blogspot.com/2014/09/gradually-sunsetting-sha-1.html
> >
> >                     There have been some interesting responses from the
> >                     global security community, what do you have to say
> >                     about all this? Is anyone in SA actually going to
> >                     care, or upgrade their certificate to cater for this?
> >
> >                     Kind Regards,
> >                     Brett Russell
> >                     OWASP South Africa Chapter Leader
> >
> >                     _______________________________________________
> >                     OWASP-SouthAfrica mailing list
> >                     OWASP-SouthAfrica at lists.owasp.org
> >
> https://lists.owasp.org/mailman/listinfo/owasp-southafrica
> >
> >
> >
> >             --
> >
> >             Kind Regards,
> >             Brett Russell
> >             OWASP South Africa Chapter Leader
> >
> >
> >
> >
> >     --
> >
> >     Kind Regards,
> >     Brett Russell
> >     OWASP South Africa Chapter Leader
> >
> >
> >
> >
> > _______________________________________________
> > OWASP-SouthAfrica mailing list
> > OWASP-SouthAfrica at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-southafrica
> >
> _______________________________________________
> OWASP-SouthAfrica mailing list
> OWASP-SouthAfrica at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-southafrica
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-southafrica/attachments/20141014/4a7048c9/attachment.html>


More information about the OWASP-SouthAfrica mailing list