This recent paper “From Collisions to Chosen-Prefix Collisions – Application to Full SHA-1” by G. Leurent and T. Peyrin puts another nail in the coffin of SHA1. The authors present a chosen-prefix collisions attack to SHA1 which allows client impersonation in TLS 1.2 and peer impersonation in IKEv2 with an expected cost between 1.2 and 7 Million US$. The authors expect that soon it will be possible to bring down the cost to 100.000 US$ per collision.
For what concerns CA certificates, the attack allows, at the same cost, to create a rogue CA and fake certificates in which the signature includes the use of SHA1 hash, but only if the true CA does not randomize the serial number field in the certificates.
It is almost 15 years that it is known that SHA1 is not secure: NIST deprecated it in 2011, it should not have been used from 2013 and substituted with SHA2 or SHA3. By 2017 all browsers should have removed support for SHA1, but the problem is always with legacy applications that still use it: how many of them are still out there?
A recent study by KU Leuven-iMinds researchers points out that device and web-browser fingerprinting is on the raise, in spite of all efforts to limit it like the introduction of the “Do Not Track” HTTP Header.
This does not surprise me since advertisment and marketing are usually at odds with privacy and it is not well understood by most what is the real meaning and breath of the information that it is possible to collect by tracking users on internet.
On the other side, device fingerprinting is a very useful tool for ICT security of web transactions: knowing which device is making the transaction and to which user is (usually) associated, added to the geolocalization of IP addresses and other information, can make the difference between a valid transaction and an attempted fraud.
At the end the most important issue is by whom and how a tool is used, and this holds true in particular for security tools: a gun in the hand of a policeman should be used to a good end, but the same gun in the hand of a thief should be illegal.
This week two news about web browser security got my attention.
First of all, the CanSecWest’s Pwn2Own contest ended with a complete debacle for all web browsers (for example see here for a summary). Only Chrome OS has survived untouched. I interpret this more as an indication of the poor security state of the web browsers than the (undeniable) ability of the participants. From the implementation point of view, the security of our web browsers is not great at all, and this notwithstanding all what has happened in the last years.
From the strategic point of view, the participants to this ACM panel discussion state very clearly that the security of Web Browsers is broken by design, which just confirms the very sorry state of affairs in which we are. Even more, they claim that there is little if no incentive to improve the situation.
And it is no joke that our lifes daily depend more and more on web browsers, from banking to health, work, education etc.