US military still SHAckled to outdated DoD PKI infrastructure (Netcraft)

[Posted January 11, 2016 by ris]

Netcraft reports that the US Department of Defense (DoD) is still issuing SHA-1 signed certificates, and using them to secure connections to .mil websites. "The DoD is America's largest government agency, and is tasked with protecting the security of its country, which makes its continued reliance on SHA-1 particularly remarkable. Besides the well known security implications, this reliance could already prove problematic amongst the DoD's millions of employees. For instance, Mozilla Firefox 43 began rejecting all new SHA-1 certificates issued since 1 January 2016. When it encountered one of these certificates, the browser displayed an Untrusted Connection error, although this could be overridden. If DoD employees become accustomed to ignoring such errors, it could become much easier to carry out man-in-the-middle attacks against them."

US military still SHAckled to outdated DoD PKI infrastructure (Netcraft)

Posted Jan 12, 2016 1:28 UTC (Tue) by geek (guest, #45074) [Link]

What could go wrong?? Here:
http://nuclearweaponarchive.org/Usa/Weapons/Wpngall.html

Dave

US military still SHAckled to outdated DoD PKI infrastructure (Netcraft)

Posted Jan 12, 2016 2:10 UTC (Tue) by smoogen (subscriber, #97) [Link] (5 responses)

Actually what will happen is that "updated" versions of Mozilla will not be allowed to be installed on .mil computers. Large organizations can't just turn off/change infrastructure as quickly as various groups somehow think they can. There are NT 3.51 systems that are still in use in the PKI world which aren't going to be turned off etc until their respective satellite finally deorbits. There are various industrial systems that are PDP-11's on a chip that won't be 'upgraded' for at least another 20 years because a) they cost millions of 1970's dollars to originally build and would take billions of 2020 dollars to replace. [EG in 20 years they will still be running and someone will make money replacing the PDP-11 on a chip with a virtual PDP-11]

I expect that SHA-1 will still be used and running in various systems until 2020 unless a huge IT investment comes down the pipe.

US military still SHAckled to outdated DoD PKI infrastructure (Netcraft)

Posted Jan 12, 2016 6:13 UTC (Tue) by Otus (subscriber, #67685) [Link]

> Actually what will happen is that "updated" versions of Mozilla will not be allowed to be installed on .mil computers.

Firefox has dominated the news for moving first, but Google and Microsoft have agreed to do the same thing. Chrome 48 is meant to do what Firefox did in a couple of weeks. Not sure about Microsoft's schedule.

So it would mean no updated browsers, period, pretty soon. I should hope no one important will try to live on old browsers until 2020.

US military still SHAckled to outdated DoD PKI infrastructure (Netcraft)

Posted Jan 12, 2016 7:56 UTC (Tue) by keeperofdakeys (guest, #82635) [Link]

Funnily enough, Mozilla announced a few days ago that they are re-enabling SHA-1 certificates due to man-in-the-middle proxies. (SHA-1 interception is arguably better than no https available at all). I haven't seen any announcements relating to how long this will last though. https://blog.mozilla.org/security/2016/01/06/man-in-the-m...

US military still SHAckled to outdated DoD PKI infrastructure (Netcraft)

Posted Jan 12, 2016 10:40 UTC (Tue) by epa (subscriber, #39769) [Link]

There is nothing wrong with keeping old systems in use. If it ain't broke, don't fix it. But you do not connect them to the public Internet.

Possibly if access to the older systems is over some kind of VPN which provides its own secure network connection, browsers should be configurable to be less fussy about older hash functions and ciphers when using https.

US military still SHAckled to outdated DoD PKI infrastructure (Netcraft)

Posted Jan 12, 2016 11:37 UTC (Tue) by Wol (subscriber, #4433) [Link]

> Actually what will happen is that "updated" versions of Mozilla will not be allowed to be installed on .mil computers. Large organizations can't just turn off/change infrastructure as quickly as various groups somehow think they can.

If your job is "security" and your system is using "smoke and mirrors" security, then surely upgrading has a very high priority? Sure, an oil-tanker can't turn on a dime, but if you're the Torrey Canyon you shouldn't have gotten in to that situation in the first place! (The wikipedia article isn't that informative, but they knew the ship was going to wreck long before it actually did).

Cheers,
Wol

US military still SHAckled to outdated DoD PKI infrastructure (Netcraft)

Posted Jan 15, 2016 17:37 UTC (Fri) by hkario (subscriber, #94864) [Link]

> Large organizations can't just turn off/change infrastructure as quickly as various groups somehow think they can.

I would agree with you, if this schedule wasn't announced more than a year in advance.

No supported systems (be it Windows or Linux) have problems with SHA-256. Even Windows XP will handle them fine, if you update it past SP3.

> There are various industrial systems that are PDP-11's on a chip that won't be 'upgraded' for at least another 20 years because a) they cost millions of 1970's dollars to originally build and would take billions of 2020 dollars to replace.

then put an Intel NUC before it running Linux with an instance of stunnel and make it handle crypto from this century