Thursday, September 11, 2014

Bro and Chrome's Sunsetting of SHA-1

A few days ago, Google announced their plans for sunsetting certificates using the SHA-1 hash algorithm in the near future. Google does not think SHA-1 certificates should be considered secure in the future anymore as collision attacks against SHA-1 get more realistic.

For these reasons, they will start reducing the security indicators if the certificate chain uses SHA-1 and the host-certificate is valid beyond the end of 2015. Depending on the exact validity in the certificate, the visual display will first change to a symbol showing slight errors in the HTTPS connection to symbols showing the connection to be not secure.

Chrome will start reducing the security indications for such certificates at the end of September 2014.

We created a Bro script that can detect servers in your local network that contain such certificates.

To use the script, simply download it from https://github.com/0xxon/bro-scripts/blob/master/chrome-sha1.bro and either load it in your local.bro (when using broctl) or add it to the Bro command line when starting it manually. By default the script only checks servers that are in your Site::local_nets list.

The script will output notices for each server containing such certificates to notice.log. An example output is included in the git repository.

Please let us know any issues you encounter when using this script.

No comments:

Post a Comment