Thursday, October 29, 2015

American military sites secured with dud SHA-1 cipher -The Register

America, your military fails at security. That's the message from Netcraft security expert Paul Mutton, who has found a bunch of Department of Defence (DoD) agencies issuing SHA-1 certificates.
SHA-1 is almost as old as the art of war: created in 1995, it was secure then, but now, you only need US$75,000 to buy enough cloud CPU to can crack an SHA-1 signature.
Netcraft is waging war on the stubborn protocol, and earlier this month warned that there's still aquarter of a million SHA-1 certs with expiry dates of 2017 or later.
The use of those certs in dot-mil domains, however, singles it out for special criticism, since the National Institute of Standards and Technology (NIST) has long told US government agencies that SHA-1 is no longer acceptable.....

Bth - so raping security breaches are allowed to exist due to bureaucratic inertia and incompetence.

No comments: