[cabfpub] The Shappening: freestart collisions for SHA-1 (was Re: Ballot 152 - Issuance of SHA-1 certificates through 2016)

Rob Stradling rob.stradling at comodo.com
Thu Oct 8 10:16:37 UTC 2015

Is Ballot 152 dead yet?


"Our recommendations

We recommend that SHA-1 based signatures should be marked as unsafe much 
sooner than prescribed by current international policy. Even though 
freestart collisions do not directly lead to actual collisions for 
SHA-1, in our case, the experimental data we obtained in the process 
enable significantly more accurate projections on the real-world cost of 
actual collisions for SHA-1, compared to previous projections. 
Concretely, we estimate the SHA-1 collision cost today (i.e., Fall 2015) 
between 75K$ and 120K$ renting Amazon EC2 cloud computing over a few 
months. By contrast, security expert Bruce Schneier previously projected 
the SHA-1 collision cost to be ~173K$ by 2018. Note that he deems this 
to be within the resources of a criminal syndicate. Large corporations 
and governments may possess even greater resources and may not require 
Amazon EC2. Microsoft, Google and Mozilla have all announced that their 
respective browsers will stop accepting SHA-1 based SSL certificates by 
2017 (and that SHA-1-based certificates should not be issued after 
2015). In conclusion, our estimates imply SHA-1 collisions to be now 
(Fall 2015) within the resources of criminal syndicates, two years 
earlier than previously expected and one year before SHA-1 will be 
marked as unsafe in modern Internet browsers. This motivates our 
recommendations for industry standard SHA-1 to be retracted as soon as 
possible. With our new cost projections in mind, we strongly and 
urgently recommend against a recent proposal to extend the issuance of 
SHA-1 certificates with a year in the CAB/forum (discussion closes 
October 9 2015, vote closes October 16)."

On 06/10/15 16:23, Dean Coclin wrote:
> Yes, Ryan is correct. Nonetheless, I am going to add it to the agenda
> for this week’s meeting.
> Dean
> *From:*public-bounces at cabforum.org [mailto:public-bounces at cabforum.org]
> *On Behalf Of *Ryan Sleevi
> *Sent:* Tuesday, October 06, 2015 9:25 AM
> *To:* Jeremy Rowley
> *Cc:* Rick Andrews; public at cabforum.org
> *Subject:* Re: [cabfpub] Ballot 152 - Issuance of SHA-1 certificates
> through 2016
> On Mon, Oct 5, 2015 at 10:02 PM, Jeremy Rowley
> <jeremy.rowley at digicert.com <mailto:jeremy.rowley at digicert.com>> wrote:
> Also  - a point of order on this, but I thought all ballots needed one
> telephone call or face to face before they could be started?  Did that
> change?
> That was never required by the bylaws. While a good idea to gauge as a
> bellwether for the likeliness of the ballot to succeed, any member may
> propose a ballot at any time, so long as requisite number of co-sponsors
> is found, adequate time is given for review and voting, and that review
> and voting is clearly indicated in the ballot.
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public

Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
Office Tel: +44.(0)1274.730505
Office Fax: +44.(0)1274.730909

COMODO CA Limited, Registered in England No. 04058690
Registered Office:
   3rd Floor, 26 Office Village, Exchange Quay,
   Trafford Road, Salford, Manchester M5 3EQ

This e-mail and any files transmitted with it are confidential and 
intended solely for the use of the individual or entity to whom they are 
addressed.  If you have received this email in error please notify the 
sender by replying to the e-mail containing this attachment. Replies to 
this email may be monitored by COMODO for operational or business 
reasons. Whilst every endeavour is taken to ensure that e-mails are free 
from viruses, no liability can be accepted and the recipient is 
requested to use their own virus checking software.

More information about the Public mailing list