36

I am on a website where I need to pay for something. This website has the following warning in the top left:

enter image description here

This site uses a weak security configuration (SHA-1 signatures) so your connection may not be private

Should I go ahead and enter my card details and pay for something on this site?

What are the security risks?

Extra Info:

I am using Google Chrome on a Windows 10 Machine.

In internet Explorer I get the following Message:

enter image description here

StackzOfZtuff
  • 17,783
  • 1
  • 50
  • 86
User1
  • 3,041
  • 5
  • 23
  • 30

5 Answers5

72

It's a bad sign, but it is still very unlikely that the connection is being eavesdropped on.

The website appears to have a valid certificate signed by a certificate authority, but it is signed with a weak and obsolete hash algorithm.

What does that mean?

It means the connection is encrypted and a passive eavesdropper can still not listen in. But a determined attacker with access to lots of processing power could generate a fake certificate for this website and use it to impersonate the website. So it is possible you aren't actually on the website you think you are but are instead on one controlled by a hacker. But such an attack would require quite a lot of resources and additionally require to be in control of a router between you and the website.

But even when we assume that no attack is taking place, we should keep in mind what impression this makes. SHA-1 is obsolete for quite a while now. When the admins of that site still do not bother to update, that's a quite bad sign for their general competence. It could mean that they are also quite lax regarding other aspects of security of their website. The final decision what information you provide them with is yours to make.

Philipp
  • 48,867
  • 8
  • 127
  • 157
  • So does this mean the weak certificate is only vulnerable to a `Man in the middle` attack? So if I could guarantee I was on a Safe network then this weak hashing algorithm shouldnt be a problem? – User1 May 26 '16 at 09:44
  • 3
    @user1 It's not just your network which matters, but also their network and any network in between. But as I said, an attack is very unlikely because generating a certificate which matches a given SHA-1 hash still requires quite a lot of processing power. – Philipp May 26 '16 at 09:46
  • 6
    @user1 Regarding how much processing power it takes: There is [an analysis by Jesse Walker](https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html) which was endorsed by [Bruce Schneier](https://www.schneierfacts.com/). – Philipp May 26 '16 at 09:51
  • 2
    @Phillipp Wow Thanks. That really demonstrates the small risk. - Showing the estimated cost as: "29 * 28.4 = 217.4 ~ $173K by 2018" – User1 May 26 '16 at 10:11
  • 6
    @user1 It's worth noting that this cost computation involves AWS, which is much more expensive than necessary. A determined criminal would probably not be using AWS, but rather botnets or custom-built server rigs (probably using GPUs), which are both much cheaper and harder to tie to them that hundreds of thousands of dollars worth of public cloud compute time. As stated, it's a back of the envelope calculation, and probably a lot closer to a worst case for attackers than a best case. – HopelessN00b May 26 '16 at 14:05
  • 1
    However it's also worth noting that the cost computation is for a simple collision attack. That is generating two files of random garbage with the same sha1 hash. Creating a bogus certificate using hash function weaknesses is not that simple. It requires a "distinct chosen prefix" collision attack (harder than a basic collision attack) *and* a CA with bad issuing practices. A preimage attack would eliminate the need for the CA with bad issuing practices but preimage attacks are far far harder than collision attacks. – Peter Green May 26 '16 at 15:15
  • If they have that much computer wouldn't they just generate some bit coins? – Dave May 26 '16 at 16:26
  • 4
    @Dave If they were stupid, they might. It's no longer possible to profitably generate BitCoins with anything other than ASICs (Application Specific Integrated Circuits), and hasn't been for a few years. – HopelessN00b May 26 '16 at 16:35
  • @user1 There is no such thing as a "safe" network unless you are peering with that company over a direct link. – Navin May 27 '16 at 05:12
  • @Navin and that's not safe, either – Hagen von Eitzen May 27 '16 at 06:01
  • @HopelessN00b, on the other hand, it assumes that Moore's Law continues, which is a best case. – Paul Draper May 27 '16 at 18:36
  • I thought SHA-1 interception can be done even on a high-security website if your browser exposes it? Via a MitM attack? – Yakk May 29 '16 at 14:05
  • @HopelessN00b it hasn't been profitable if you pay for the power. Botnets and malware doesn't pay for the power they use. – Yakk May 29 '16 at 14:06
  • a group of researchers hacked the nasa careers site which was using SHA-1, it took them $100 of AWS credit – noɥʇʎԀʎzɐɹƆ May 29 '16 at 16:42
  • @JamesLu Could you provide a source? I am pretty sure you are mixing up things here, because there are a lot of applications for SHA-1 besides certificate signatures and for some of them, like cracking hashes of weak passwords, a cost of $100 is not implausible at all. – Philipp May 29 '16 at 16:49
25

As others have said, technically the risk is small for a MiM attack. However this has a larger problem and implication.

Should I go ahead and enter my card details and pay for something on this site?

NO, YOU SHOULD NOT USE THIS SITE FOR A CARD TRANSACTION

The SSL issue is, as stated by others, relatively minor, however, using a SHA-1 hash means two very important things.

  1. They have not followed PCI DSS Best Practices. Using SHA-1 in signing certificates, or in the encryption it's self is not recommended, and has to have an exception made for it during an AVS (Automated Vulnerability Scan). Meaning that, last time they did a PCI Scan they had to go out of their way to pass because they were not following a best practice. SHA-1 Hashes can only be used in some circumstances, and only to support legacy setups. You must always support another hash. Because your using windows 10 you support the newer hashes, they are not.
  2. If they can't bother to do this very simple, easy, and required certification, then they simply don't care enough about the security of your credit card to trust them with it.

Important notes:

  • I help clients with PCI compliance all the time. It's fairly straight forward and simple. It takes "some time", but it's a very small investment if your going to handle cards. (maybe 2-3 days with 1-2 hours a day, after a big push of 4 hours on the first day, the first time around, which is mostly reading the rules, for the lowest level of PCI compliance)
  • In no way is a PCI Compliance sticker a "I am un-hackable label". It only means that you did a minimum set of things to attempt to protect card data. In may ways it's not even "enough", it's more of a starting point.
  • There are different levels of PCI complacence, but the lowest levels (for sites that hand off the transaction to a third party like Paypal to do the actual data collection and processing) sill can not use a SHA-1 SSL cert by it's self.
  • All Payment gateways (like PayPal) that I am aware of that let you pass in transaction details (not just a buy now button) require to be the lowest level of PCI compliant.

Note when writing this answer and with comments, significant changes to the answer needed to be made. In short the use of SHA-1 hashes in a PCI compliant setting is very obscure, and relies on a mesh of different rules to allow it. While not currently out right forbidden in current PCI-DSS setups it soon will be. Currently it is allowed only though a combination of clauses meant to support odd/old client(browser) configurations. Most notably the "Older SSL" clauses that allow for insecure SSL setups with other means of security in order to support older (think IE6) browsers. This answer has changed a lot to reflect this. The notes below are from the original answer, but shows, IMO, an important process.

Note After some research this answer, based mostly on the fact that they didn't bother to do the PCI Audit at all, is largely wrong. They could have completed the PCI audit. That being said, the general idea is still true. If they "worked around" the SHA-1 issue instead of just updating to "something else" then my opinion stands. Keep in mind that allowing SHA-1 is supposed to be for "aging, old, and legacy" systems and not as an ongoing practice. You now (today) have to have a migration plan in place even to pass the audit.

More Notes I will have to address this and clean up this answer, but according to "the docs" there is some general rules. First older sites can still offer SHA1 as an encryption or signing option but only if other, stronger options are available too. New sites can not offer SHA-1 at all. Any sites using SHA-1 must have a migration plan. (AVS should auto fail, but you can get an exception). Lastly there is a clear cutoff date for SHA-1 (though it can be moved, yet again)

coteyr
  • 1,506
  • 8
  • 12
  • 2
    The PCI document linked here is for POS terminals, rather than website transactions, which have slightly higher security requirements. Currently, there is still an exception for SHA-1 to be used for TLS certificate signatures in the PCI DSS standard, for some reason, although I'd hope this was removed in the next revision. This exception does not apply to physical terminals, for good reason! – Matthew May 27 '16 at 06:03
  • My mistake, I know it always gets flagged as not allowed (it's on by default in Apache med_ssl) let me see if I can find some documentation. – coteyr May 27 '16 at 11:37
  • I will admit to a bit of confusion here. It seems that while SHA-1 hashes are allowed in some contexts it's not a best practice, and thus always gets flagged (for me with my settings). You can still use SHA-1 in some circumstances. – coteyr May 27 '16 at 11:58
  • Yes, it's certainly not ideal, but in this case, it's not an automatic fail - no where near as bad as exposing PAN data or similar – Matthew May 27 '16 at 12:05
  • So it looks like as of the current revision, your only allowed to use SHA-1 if you have a migration plan in place, AND you certificates expire before June 2017. If your certs expire after June 2017 your not allowed to use SHA-1 at all. By default Using SHA-1 signed cert IS an automatic fail (of the AVS) but exceptions are allowed, unless it's the only option available. Bah it's all complicated for no reason. – coteyr May 27 '16 at 12:16
  • It's all very confusing. By v3.2 of the PCI DSS, SHA-1 certificates are not specifically ruled out, but the implication is that they fall under "SSL/early TLS". However, it is perfectly possible to use TLSv1.2 with a certificate signed with SHA-1, in which case the identity of the certificate could be suspect, but the encryption provided would be strong (e.g. only the person who generated it could decode data encrypted with it, but you can't prove who generated it safely). This is distinct from the POI standard, which does specifically mention signing algorithms. – Matthew May 27 '16 at 12:53
  • Instead of having notes about the incorrectness of your original statement scattered throughout your answer, please just update your answer wholesale and correct the erroneous statements directly. – jpmc26 May 27 '16 at 23:00
15

It means that the certificate used by the site is using an outdated signature algorithm to confirm the certificate identity. Google has been aggressively targeting SHA-1 signatures for site certificates for a couple of years, since there are some theoretical attacks which could result in a fraudulent certificate having a valid signature, although there has not been any evidence of this happening in the wild. Furthermore, the method of attack would require significant effort, and is unlikely to be profitable for anything other than really high value targets.

The main reason for the warnings is to encourage web site owners to update to more secure signing methods, which are usually available for free or low cost from their certificate providers, but offer longer term protection as computer technology improves - this process took 16 years in the case of MD5, the predecessor to SHA-1. The certificate itself is no weaker than any other - in fact, it is technically possible for a single certificate to be signed by both SHA-1 and SHA-256 methods. There may be other weaknesses in the certificate, but it's not possible to see from the screenshots provided.

Overall, it suggests a slightly shoddy approach to security of the site, but doesn't itself mean that your card details are likely to be stolen in transit. It may be worth contacting the company pointing out this error, and suggesting they update the certificate, especially if you need to make purchases from there regularly.

Also, see https://konklone.com/post/why-google-is-hurrying-the-web-to-kill-sha-1 for some more details on this.

Matthew
  • 27,233
  • 7
  • 87
  • 101
  • Is "in the wild" a necessary qualifier? Is there any known evidence of this happening outside the wild, so to speak? – user541686 May 26 '16 at 21:35
  • There have been unsubstantiated rumours, but nothing solid - by it's very nature, any such attacks would be very secretive. For all I know, the NSA has a setup making fake certs in hours, but I'd consider it unlikely! – Matthew May 27 '16 at 05:49
  • OK, so I guess the question is, do ordinary people actually need to worry about this in ordinary situations? It's not like MD5 where an attack was actually demonstrated anyway, and it's not like everyone is worried about the NSA with *every* single website they visit. If StackOverflow used SHA-1, should *everyone* freak out if the NSA had broken SHA-1 and could see what they were doing on StackOverflow? Like, let's be honest: not really. Maybe 0.01% of the users will freak out for some reason, but what about the rest? I would even *hope* they waste their resources on me... – user541686 May 27 '16 at 06:14
  • ...and SHA-1 would be plenty enough in that case. If my neighbor could break SHA-1 in a week and see my login credentials, *maybe* I could care. But really, if the only threat is a some huge organization like the NSA, SHA-1 is plenty good enough and need not be banned... – user541686 May 27 '16 at 06:17
  • Exactly. It's unlikely that the certificate means that data will be stolen in transit, but the possibility exists, but it's much more likely that a site which hasn't updated this also hasn't updated other features, which may cause problems - using SHA-1 hashing for passwords, for example, which is completely unacceptable. – Matthew May 27 '16 at 06:17
  • @mehrdad Not quite, to your second comment. It's being deprecated to ensure it's completely removed before your neighbours can do these attacks. This process takes a long time, so it's good to start it before any problems are easy to exploit, so by the time the exploit is trivial, no one is using the flawed system. – Matthew May 27 '16 at 06:20
  • Deprecated, sure -- I don't have a problem with the old approach of demoting their icons to something other than the green "secure". But aggressively marking them with *red* as less-secure-than-plain-HTTP seems just dishonest when we don't even know for sure of a single case of SHA-1 having ever been broken, let alone one in the wild... – user541686 May 27 '16 at 06:27
  • You wrote *"in fact, it is technically possible for a single certificate to be signed by both SHA-1 and SHA-256 methods"*. Huh? How so? Are we talking x509 certs? They can only have one hash/signature tag, right? – StackzOfZtuff May 30 '16 at 14:25
1

Others have noted the problems getting the card info to the site, but you must also think about how they handle that information internally. I once worked at a dotcom that stored credit card info in our database in plain text. Anyone with access to client info could see them.
Lazy certification is only the tip of the iceberg, IMO.

Engineer
  • 111
  • 3
-1

Besides the normal Philip Dick kind of paranoia which tells you nothing is as it seems -- ever -- there is nothing that can be inferred from simply seeing that Chrome has alerted you to a site's using SHA-1 for their certificate's signature. Google said they were going to do this back in 2014. You could be on Amazon.com, using Chrome. The fact is, if Amazon hasn't started encrypting their certificates' signatures using SHA-2, Chrome will throw a warning.

benJephunneh
  • 101
  • 1