Security quotes of the week

[Posted October 10, 2012 by jake]

The point is that we in the community need to start the migration away from SHA-1 and to SHA-2/SHA-3 now.

That's because a design flaw in the service [McAfee Secure], and in competing services offered by Trust Guard and others, makes it easy to discover in almost real time when a customer has had the seal revoked. A revocation is a either a sign the site has failed to pay its bill, has been inaccessible for a sustained period of time, or most crucially, is no longer able to pass the daily security test.

-- Dan Goodin in ars technica

This apparent screw up in the automated filter mistakenly attempts to censor AMC Theatres, BBC, Buzzfeed, CNN, HuffPo, TechCrunch, RealClearPolitics, Rotten Tomatoes, ScienceDirect, Washington Post, Wikipedia and even the U.S. Government.

Judging from the page titles and content the websites in question were targeted because they reference the number "45".

-- TorrentFreak looks at a Microsoft DMCA notice

We in the community

Posted Oct 11, 2012 11:04 UTC (Thu) by man_ls (guest, #15091) [Link] (1 responses)

What community is Schneier talking about? I guess he means the security community, whatever that means. I believe that free software is already actively migrating away from SHA-1, as confirmed by a cursory web search: Debian, Fedora. Those security-related projects that still use SHA-1 should heed his advice.

We in the community

Posted Oct 18, 2012 13:44 UTC (Thu) by robbe (guest, #16131) [Link]

Applying "openssl x509 -text" to lwn.net's SSL certificate:

  [...]
  Signature Algorithm: sha1WithRSAEncryption
  Issuer: C=US, O=GeoTrust Inc., OU=Domain Validated SSL, CN=GeoTrust DV SSL CA
  [...]