As Sites Move To SHA2 Encryption, Millions Face HTTPS Lock-Out

Megalith

24-bit/48kHz
Staff member
Joined
Aug 20, 2006
Messages
13,000
SHA1 certificates will no longer be issued next year due to its weakening algorithm, but trouble looms for those with browsers or devices that are incompatible with SHA2.

SHA1, the cryptographic hashing algorithm that's been at the heart of the web's security for a decade, will be retired in a little over a year. Some say it could be cracked by the end of the year, essentially making it useless and weakening security for millions of users. Certificate authorities said they will respond by no longer issuing SHA1 certificates at midnight, January 1 2016, opting instead for SHA2 certificates. SHA2 is a significantly stronger algorithm that will last for many years to come. But there's a problem. A small but sizable portion of the internet's users don't have browsers or devices that are compatible with SHA2.
 
Since the article wasn't particularly clear about what supports SHA2 and what doesn't, here's a page with a list:

https://www.digicert.com/sha-2-compatibility.htm

A few notables: Chrome 26+, Firefox 1.5+, IE 6+ (with XP SP3+), Opera 9.0+, Safari 3+.

The upshot is that you are running seriously old-school stuff if you can't meet this. Even the Firefox 3 diehards are still fine.
 
IMHO, this is probably not a bad thing. It might force some people to stop using vulnerable old tech which is contributing to botnets and other problems on the internet.

IMHO, anyone still using Windows XP on a machine hooked up to the internet, should be unceremoniously taken out back and shot in the head.
 
I have been moving apps to Sha-2 as the certs expire and have not run into any issues.
 
Since the article wasn't particularly clear about what supports SHA2 and what doesn't, here's a page with a list:

https://www.digicert.com/sha-2-compatibility.htm

A few notables: Chrome 26+, Firefox 1.5+, IE 6+ (with XP SP3+), Opera 9.0+, Safari 3+.

The upshot is that you are running seriously old-school stuff if you can't meet this. Even the Firefox 3 diehards are still fine.
Shouldn't those all be -'s?
 
The US military still uses Windows XP.

No they don't, they've been using Windows 7 32bit for years now. They just recently got the go ahead to upgrade to Windows 10, which requires them to first upgrade to 64 bit versions of win7.
 
No they don't, they've been using Windows 7 32bit for years now. They just recently got the go ahead to upgrade to Windows 10, which requires them to first upgrade to 64 bit versions of win7.

There are some systems that are reliant on XP.

Overall for general office use, you are right.
 
Since the article wasn't particularly clear about what supports SHA2 and what doesn't, here's a page with a list:

https://www.digicert.com/sha-2-compatibility.htm

A few notables: Chrome 26+, Firefox 1.5+, IE 6+ (with XP SP3+), Opera 9.0+, Safari 3+.

The upshot is that you are running seriously old-school stuff if you can't meet this. Even the Firefox 3 diehards are still fine.

If Firefox 3 users are the die hards, then what class do the IE6 users fall under? :D
 
Zarathustra[H];1041930179 said:
You might have missed this news.

I didn't miss anything, the normal Internet accessible computers haven't been on xp in years so the news in the op has zero effect on the military.
 
I have tons of clients on XP, people don't want to spend the money to upgrade older machines that still do the work required of them...
 
Hell there are computers in my company still on Windows 95. But they are off network and can't be upgraded due to software compatibility and it is prohibitively expensive, think 7+ figures, to upgrade.
 
I have tons of clients on XP, people don't want to spend the money to upgrade older machines that still do the work required of them...

And they are likely responsible for letting botnet operators use their systems to attack and take down my servers ever few weeks. :mad:

IMHO, All operating systems should come with a self destruct sequence that disables all networking the moment they are no longer supported.

It's because of people like this we can't have nice things. :rolleyes:
 
Zarathustra[H];1041930880 said:
And they are likely responsible for letting botnet operators use their systems to attack and take down my servers ever few weeks. :mad:

IMHO, All operating systems should come with a self destruct sequence that disables all networking the moment they are no longer supported.

It's because of people like this we can't have nice things. :rolleyes:

Also, pretty soon they will have to pay money to upgrade as pretty soon they won't be able to "do the work required of them..." when they won't be able to load any websites.
 
Zarathustra[H];1041930880 said:
And they are likely responsible for letting botnet operators use their systems to attack and take down my servers ever few weeks. :mad:

IMHO, All operating systems should come with a self destruct sequence that disables all networking the moment they are no longer supported.

It's because of people like this we can't have nice things. :rolleyes:


I still have 2 XP systems on my office network.
One is an old fax gateway used for testing (nobody uses it to go on the internet, so it's very unlike likely to get infected, and the other is a VM I occasionally fire up to run apps that only work under XP, to reconfigure some network equipment.

So you are telling XP should disable networking and force me I should junk tens of thousands of dollars of equipment because some people can't monitor their systems?
The likelihood of either of these system getting infected is highly unlikely, and even if it somehow happened, I would be notified either by the AV software, or the office firewall monitor.
 
I didn't miss anything, the normal Internet accessible computers haven't been on xp in years so the news in the op has zero effect on the military.
But how about the ABNORMAL internet accessible computers? I'm betting there are more than a few.
 
SHA encryption is kinda a wrong terminology.
SHA is a hashing method not an encryption method.

Whatever data you throw through SHA is not easy to get back to the original form. (That's the purpose)
Where as with encryption it can be decodede back with the right key.
 
I still have 2 XP systems on my office network.
One is an old fax gateway used for testing (nobody uses it to go on the internet, so it's very unlike likely to get infected, and the other is a VM I occasionally fire up to run apps that only work under XP, to reconfigure some network equipment.

So you are telling XP should disable networking and force me I should junk tens of thousands of dollars of equipment because some people can't monitor their systems?
The likelihood of either of these system getting infected is highly unlikely, and even if it somehow happened, I would be notified either by the AV software, or the office firewall monitor.

As a Network/Security admin I say yes you should disable networking but nobody is making you, so roll the dice all you want. If you think AV software and a firewall is going to keep somebody out if they want in then you need to seriously catch up on your security training.
 
Zarathustra[H];1041930880 said:
And they are likely responsible for letting botnet operators use their systems to attack and take down my servers ever few weeks. :mad:

IMHO, All operating systems should come with a self destruct sequence that disables all networking the moment they are no longer supported.

It's because of people like this we can't have nice things. :rolleyes:

mmhmm, ok, I would love to be part of that lawsuit!

spoiler I guarantee you there is more very old equipment running very important things than you can imagine... hell I still support some NT4 boxes that run critical infrastructure

and last time we got attacked by a botnet it was a linux botnet, neat!

Also, pretty soon they will have to pay money to upgrade as pretty soon they won't be able to "do the work required of them..." when they won't be able to load any websites.

not everyone's job is browsing the internet wasting time at work

anyway, you can use modern browsers and A/Vs on XP so I don't see the issue... I've run across more infected 7 machines lately than anything else
 
Back
Top