1

Google has successfully shattered SHA-1 and still I found that SHA-1 digest algorithm is used for signing the hash. Even Google Chrome is accepting this kind of certificate without any kind of warning. But if am using RSA for key exchange, Chrome will warn for using obsolete cipher methods. Am I missing something?

CA Certificate Details

schroeder
  • 129,372
  • 55
  • 299
  • 340
Tibin
  • 119
  • 2
  • "Google has successfully shattered SHA-1"? Reference? If so, does that mean it is insecure for this use? – schroeder Mar 27 '17 at 06:32
  • @schroeder https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html Thats what i need to know. – Tibin Mar 27 '17 at 08:41
  • From the root certificate store provided by Microsoft with Windows. Read the answer under the duplicate question. – techraf Mar 27 '17 at 08:54
  • @techraf if it is root certificate it will be present in machine, i thought about the server's certificate which will be shared with the client. – Tibin Mar 27 '17 at 08:57
  • So, a PoC was demonstrated less than a month ago and you expect that browsers should reject the method by now? The internal security team recommends "sunsetting" SHA-1. They never said that this is a "Heartbleed" moment and pulling the emergency cord. – schroeder Mar 27 '17 at 10:24

0 Answers0