search

sibiantony / ssleuth

A firefox add-on to rate the quality of HTTPS connections
GNU General Public License v3.0
108 stars 14 forks source link

Points off for SHA-1 Hmac #30

Open zenzora opened 9 years ago

zenzora commented 9 years ago

I don't believe that the rankings should take points off for a site implementing SHA-1 HMAC as a collision attack isn't really applicable in that situation. Many secure sites, including banks, use SHA-1 HMACs without controversy.

sibiantony commented 9 years ago
  1. There are plenty of banks that still support old and weak cipher suites (including RC4), possibly because they have old installations and is difficult to migrate. Just that some banks use a specific cipher suite doesn't make them any secure.
  2. While rating a list of algorithms in a single cipher suite (SHA384/SHA256/SHA1), SHA1 is weak, and hence it's rated low. If you've a better rating figure, I'd welcome that. But there is clearly a difference in the strength. (Also compare ssllabs sorting of ciphersuties by strength)
  3. RFC 4868. Section 3.1. (https://tools.ietf.org/html/rfc4868#section-3). Security considerations of the proposed SHA-256+ functions vs. SHA-1 HMAC.
    Most of the security conscious and ready-to-migrate web services out there have already moved to SHA-256 based HMAC (Also AEAD GCM). Google, facebook, Github, .. just to name a few. If these services support older ciphersuites as a last preference, that is only to make older web clients happy.
zenzora commented 9 years ago
  1. You're totally correct, just because a "secure" institution supports something doesn't mean its correct.
  2. SHA-1 is weaker than SHA-256 because of its potential for collision attacks. As such I agree that the SHA-1 hash function should be ranked lower that SHA-256 especially in regard to things such as digital signatures. When it comes to HMACs however, collision attacks are not important (the inner hash function provides protection by accepting only a fixed length string) and as such HMAC-SHA-1 as an algorithm is just as secure as 256 is. Here's what Schnier has to say on the subject (https://www.schneier.com/blog/archives/2005/02/sha1_broken.html)

  3. Section 3.1 Seems to support this

    "It is important to note that at this time, it is not clear that HMAC-SHA-256 with a truncation length of 128 bits is any more secure than HMAC-SHA1 with the same truncation length"

All in all the important issue here is the length of the key. Which in both cases in bound to 2^64

BTW, this really is a great plugin, thanks a bunch for developing it.