Skip navigation

Chrome 40 and SHA-2: Certificate Boogaloo

Rewind back to 2008 for a minute.

The MD5 cryptographic hashing algorithm had taken a beating from security researchers in the early 2000s. It was getting cheaper and easier to generate MD5 collisions. That is, two different blobs of data could be generated that had the same output digest when run through the MD5 algorithm, sometimes with attacker-controlled input (a chosen-plaintext collision).

The implications of practical collision attacks against hashing algorithms such as MD5 are widespread. However, attacks up to 2008 had been primarily academic in nature: “Hey, look I can generate two giant files that have the same MD5 hash, if I lease out the supercomputer for a month.”

A group of security researchers decided to challenge the real-world security of the MD5 algorithm and targeted the Certificate Authorities (CAs) and PKI that form the underlying trust of SSL/TLS communications on the Internet. It turns out that several CAs were still using the MD5 algorithm for ensuring the integrity of their certificates.

So, this group of researchers pulled off a practical and severe MD5 collision attack against a CA's certificate, allowing them to forge their own CA certificate and sign new valid certificates (eg. google.com) with it. And it didn't take a ton of time and money, just a day or two using 200 Playstation 3s.

MD5 collision

So, MD5 was ejected from use by CAs, and SHA-1 was the new algorithm of choice.

Ok, fast forward back to today.

The SHA-1 algorithm that we replaced MD5 with is facing similar pressure and attacks. We've also seen that it's not just academic researchers we need to worry about, but large nation-state intelligence agencies that have more funding and resources than a few Playstation consoles and plenty of motivation and newly-documented ambition to break much of the cryptography used on the Internet to secure communications.

In fact, besides all the Snowden/NSA docs, the Flame malware discovered back in 2012 that is rumored to have been written (at least in part) by US intelligence agencies used an advanced private-developed variation of the MD5 collision attack in order to create a forged Windows Update certificate.

While SHA-1 is not in the same immediate peril as MD5 was back in 2008, we've learned to be a little more progressive in terms of Internet security, given a better understanding of where the intelligence community may be at in terms of capabilities compared to the attacks against SHA-1 that are publicly disclosed by academic researchers. So, to get a bit ahead of the curve, CAs have begun to issue SHA-2 based certificates and are slowly deprecating any SHA-1 certificates to avoid history repeating itself.

To accelerate the migration from SHA-1 to SHA-2, Google has decided to warn users about SHA-1 certificates in the Chrome web browser. In other words, if you visit a website that has not yet moved to a SHA-2 SSL certificate, Chrome will display a warning in the address bar where the "SSL lock" usually is. These changes to the Chrome web browser will likely hit hundreds of millions of Internet users this week with the release of Chrome 40, so get ready for warning-palooza!

So, what does this mean for you?

For Duo customers

If you're a Duo customer, you have nothing to worry about since our two-factor cloud service was migrated to SHA-2 SSL certificates on January 5th, 2015.

Our SHA-2 migration efforts started back in April 2014, when CAs started issuing SHA-2 certificates. We worked to ensure our integrations supported SHA-2 certificates when communicating with our cloud service. We wanted to tackle this proactively since moving to SHA-2 sooner than later was a win for the transport security of our customers' two-factor deployments.

When Google announced their SHA-1 deprecation initiative for Chrome back in September, we set a hard migration deadline of January 5th to switch our services to SHA-2. It simply wasn't acceptable to us to have our customers face potential insecurity OR experience a confusing/concerning warning in their Chrome web browser when accessing our service.

For normal users

If you're just an average Joe or Jane on the Internet and using the Chrome web browser, you will likely start seeing a lot of warnings in the Chrome address bar where you normally see the green lock indicating a secure connection. Those warnings may look like one of the following icons, increasing in severity over time:

Chrome 40 SHA-2 warnings

If you click on that warning, you will see a message along the lines of:

This site is using outdated security settings that may prevent future versions of Chrome from being able to safely access it.

Unfortunately, there's not much you can do as an end user, besides encourage the operator of the site to switch to a SHA-2 certificate. While there's no evidence to suggest that your SSL connection to that site is insecure or being snooped on by the NSA, you should ideally see these warning go away over time as sites upgrade their SSL certificates.

Jon Oberheide

Jon Oberheide

CTO & Co-Founder

@jonoberheide

Jon is the co-founder and CTO of Duo Security, responsible for leading product vision and the Duo Labs advanced research team. Before starting Duo, Jon was a self-loathing academic, completing his PhD at the University of Michigan in the realm of cloud security. In a prior life, Jon enjoyed offensive security research and generally hacking the planet. Jon was recently named to Forbes "30 under 30" list for his mobile security hijinks.