[Busec] SHA-1 shattered!

Eugene Kolo eugenek at bu.edu
Thu Feb 23 12:05:50 EST 2017


Let's first make https://bu.edu actually work (no www), so people actually
use the HTTPS version.



On Thu, Feb 23, 2017 at 11:01 AM, Mayank Varia <varia at bu.edu> wrote:

> Very cool! Thanks for sharing, Aanchal.
>
> Question: can we leverage the break to convince the powers-that-be at BU
> IS&T to upgrade their servers to negotiate better ciphers? My connection to
> https://www.bu.edu uses okay-ish* public key crypto, but it then uses
> HMAC over SHA-1 for symmetric authentication.**
>
> Good thing it is not used for anything like BUWorks (which contains my PII
> and allows someone to choose where my salary is direct-deposited) or
> FacultyLink (where I enter the students' final grades at the end of the
> semester).***
>
> Screenshot attached from Google Chrome.
>
> Mayank
>
> * I'm trying to be generous here. Google is less generous.
>
> ** I know that HMAC doesn't require SHA-1 to be collision resistant (
> http://cseweb.ucsd.edu/~mihir/papers/hmac-new.html). Still, their cipher
> negotiation is massively outdated in general. What's that saying: never let
> a crisis go to waste.
>
> *** The web login page negotiates AES256-GCM, but then the actual grading
> page itself negotiates the same ciphers as the main page.
>
> [image: pasted1]
>
>
> On Thu, Feb 23, 2017 at 10:04 AM Aanchal Malhotra <aanchal4 at bu.edu> wrote:
>
>> http://shattered.io/
>>
>> SHA-1 collision now a reality. Colliding PDFs, infographics, etc..
>> Good thing it is not used for anything like git or PGP.
>>
>>
>> _______________________________________________
>> Busec mailing list
>> Busec at cs.bu.edu
>> http://cs-mailman.bu.edu/mailman/listinfo/busec
>>
>
> _______________________________________________
> Busec mailing list
> Busec at cs.bu.edu
> http://cs-mailman.bu.edu/mailman/listinfo/busec
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cs-mailman.bu.edu/pipermail/busec/attachments/20170223/f034c62e/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pasted1
Type: image/png
Size: 37661 bytes
Desc: not available
URL: <http://cs-mailman.bu.edu/pipermail/busec/attachments/20170223/f034c62e/attachment-0001.png>


More information about the Busec mailing list