<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">Actually ... these are by far *not* the lowest hanging security fruit on campus.<div class=""><br class=""><div class="">As of now, there is no authenticated method for sending any e-mails to the community ...</div><div class="">not emergency e-mails (incident on X rd. - please stay away), not sysadmin e-mails</div><div class="">(please upgrade your machine using the following commands as root), not faculty</div><div class="">e-mails to student (class is canceled today).</div><div class=""><br class=""></div><div class="">No attacker is going to waste time munging a SHA-1 hash when a simple well-crafted</div><div class="">phish would work.</div><div class=""><br class=""></div><div class="">best,</div><div class=""><span class="Apple-tab-span" style="white-space:pre">        </span>-Ari</div><div class=""><br class=""><div><blockquote type="cite" class=""><div class="">On Feb 23, 2017, at 12:05 PM, Kolodenker, Yevgeniy &lt;<a href="mailto:eugenek@bu.edu" class="">eugenek@bu.edu</a>&gt; wrote:</div><br class="Apple-interchange-newline"><div class="">

<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" class="">

<div class="">
<div dir="ltr" class="">
<div class="gmail_default" style="font-family:monospace,monospace;font-size:small;color:#3366ff">
Let's first make <a href="https://bu.edu/" class="">https://bu.edu</a> actually work (no www), so people actually use the HTTPS version.</div>
<div class="gmail_default" style="font-family:monospace,monospace;font-size:small;color:#3366ff">
<br class="">
</div>
<div class="gmail_default" style="font-family:monospace,monospace;font-size:small;color:#3366ff">
<br class="">
</div>
</div>
<div class="gmail_extra"><br class="">
<div class="gmail_quote">On Thu, Feb 23, 2017 at 11:01 AM, Mayank Varia <span dir="ltr" class="">
&lt;<a href="mailto:varia@bu.edu" target="_blank" class="">varia@bu.edu</a>&gt;</span> wrote:<br class="">
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr" class="">Very cool! Thanks for sharing, Aanchal.
<div class=""><br class="">
</div>
<div class="">Question: can we leverage the break to convince the powers-that-be at BU IS&amp;T to upgrade their servers to negotiate better ciphers? My connection to
<a href="https://www.bu.edu/" target="_blank" class="">https://www.bu.edu</a>&nbsp;uses okay-ish* public key crypto, but it then uses HMAC over SHA-1 for symmetric authentication.**</div>
<div class=""><br class="">
</div>
<div class="">Good thing it is not used for anything like BUWorks (which contains my PII and allows someone to choose where my salary is direct-deposited) or FacultyLink (where I enter the students' final grades at the end of the semester).***</div>
<div class=""><br class="">
</div>
<div class="">Screenshot attached from Google Chrome.</div>
<div class=""><br class="">
</div>
<div class="">Mayank</div>
<div class=""><br class="">
</div>
<div class="">* I'm trying to be generous here. Google is less generous.</div>
<div class=""><br class="">
</div>
<div class="">** I know that HMAC doesn't require SHA-1 to be collision resistant (<a href="http://cseweb.ucsd.edu/~mihir/papers/hmac-new.html" target="_blank" class="">http://cseweb.ucsd.edu/~<wbr class="">mihir/papers/hmac-new.html</a>). Still, their cipher negotiation is massively
 outdated in general. What's that saying: never let a crisis go to waste.</div>
<div class=""><br class="">
</div>
<div class="">*** The web login page negotiates AES256-GCM, but then the actual grading page itself negotiates the same ciphers as the main page.</div>
<div class=""><br class="">
</div>
<div class=""><span id="cid:15a6ba05f2ad0cad2201">&lt;pasted1.png&gt;</span></div>
<div class=""><br class="">
</div>
<div class=""><br class="">
<div class="gmail_quote">
<div class="">
<div class="h5">
<div dir="ltr" class="">On Thu, Feb 23, 2017 at 10:04 AM Aanchal Malhotra &lt;<a href="mailto:aanchal4@bu.edu" target="_blank" class="">aanchal4@bu.edu</a>&gt; wrote:<br class="">
</div>
</div>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="">
<div class="h5">
<div dir="ltr" class="m_-4453973457306563809gmail_msg"><a href="http://shattered.io/" class="m_-4453973457306563809gmail_msg" target="_blank">http://shattered.io/</a><br class="m_-4453973457306563809gmail_msg">
<br class="m_-4453973457306563809gmail_msg">
SHA-1 collision now a reality. Colliding PDFs, infographics, etc..<br class="m_-4453973457306563809gmail_msg">
Good thing it is not used for anything like git or PGP.<br class="m_-4453973457306563809gmail_msg">
<div class="m_-4453973457306563809gmail_msg"><br class="m_-4453973457306563809gmail_msg">
<br class="m_-4453973457306563809gmail_msg">
</div>
</div>
</div>
</div>
______________________________<wbr class="">_________________<br class="m_-4453973457306563809gmail_msg">
Busec mailing list<br class="m_-4453973457306563809gmail_msg">
<a href="mailto:Busec@cs.bu.edu" class="m_-4453973457306563809gmail_msg" target="_blank">Busec@cs.bu.edu</a><br class="m_-4453973457306563809gmail_msg">
<a href="http://cs-mailman.bu.edu/mailman/listinfo/busec" rel="noreferrer" class="m_-4453973457306563809gmail_msg" target="_blank">http://cs-mailman.bu.edu/<wbr class="">mailman/listinfo/busec</a><br class="m_-4453973457306563809gmail_msg">
</blockquote>
</div>
</div>
</div>
<br class="">
______________________________<wbr class="">_________________<br class="">
Busec mailing list<br class="">
<a href="mailto:Busec@cs.bu.edu" class="">Busec@cs.bu.edu</a><br class="">
<a href="http://cs-mailman.bu.edu/mailman/listinfo/busec" rel="noreferrer" target="_blank" class="">http://cs-mailman.bu.edu/<wbr class="">mailman/listinfo/busec</a><br class="">
<br class="">
</blockquote>
</div>
<br class="">
</div>
</div>

_______________________________________________<br class="">Busec mailing list<br class=""><a href="mailto:Busec@cs.bu.edu" class="">Busec@cs.bu.edu</a><br class="">http://cs-mailman.bu.edu/mailman/listinfo/busec<br class=""></div></blockquote></div><br class=""><div class="">
—<br class="">Prof. Ari Trachtenberg<br class="">Electrical and Computer Engineering<br class="">Boston University<br class=""><a href="mailto:trachten@bu.edu" class="">trachten@bu.edu</a><br class=""><br class=""><br class=""><br class=""><br class="">
</div>
<br class=""></div></div></body></html>