Microsoft may phase out support for TLS certificates that use the SHA-1 hashing algorithm as early as June 2016. The decision comes in the wake of recent calculations that suggest generating collisions is quicker and cheaper than previously anticipated.
SHA-1 is a hash algorithm, used to derive a 128-bit value from an arbitrary input. Its intent is for collisions—different inputs that hash to the same 128-bit value—to be hard to generate. As compute power has steadily grown over the years, it becomes quicker and cheaper to generate collisions. It was previously projected by Bruce Schneier, based on the observed growth of compute power, that creating SHA-1 collisions would be within reach of criminals by 2018 at a cost of about $173,000. On this basis, Microsoft intended to cease supporting the use of new SSL/TLS certificates using SHA-1 on January 1, 2016 and all SHA-1 SSL/TLS certificates on January 1, 2017.
The new cost and performance estimates, however, suggest that the cost is both drastically lower—$75,000 to $120,000—and that the compute resources are immediately available through cloud services such as Amazon EC2. This has given browser vendors little option but to reconsider the previous 2017 timetable for retiring support of SHA-1.
If you have a Lenovo system that includes the Superfish malware, you'll want to remove it. Blowing away your system and reinstalling Windows is one way to do this, but while it's a relatively straightforward process, it's a time-consuming one. Using Lenovo's own restore image won't work, because that will probably reinstate Superfish anyway. Performing a clean install from Windows media will work, but you'll have to reinstall all your software and restore all your data from backup to do the job fully.
An alternative is to remove the malware itself. Lenovo has published instructions, but at the time of writing, they're woefully inadequate. Lenovo's instructions describe how to remove the advertising software, but unfortunately, it doesn't address the important bit: the gaping security vulnerability.
The Superfish root certificate can be used to create certificates for any domain, and those certificates will be implicitly trusted by the browser on any Superfish-infected system, leaving victims vulnerable to man-in-the-middle attacks. To fix this, the certificate itself needs to be removed.
Hewlett-Packard has alerted some customers that it will be revoking a digital certificate used to sign a huge swath of software—including hardware drivers and other software essential to running on older HP computers. The certificate is being revoked because the company learned it had been used to digitally sign malware that had infected a developer’s PC.
An HP executive told security reporter Brian Krebs that that the certificate itself wasn’t compromised. HP Global Chief Information Security Officer Brett Wahlin said that HP had recently been alerted to the signed malware—a four-year old Windows Trojan—by Symantec. Wahlin said that it appears the malware, which had infected an HP employee's computer, accidentally got digitally signed as part of a separate software package—and then sent a signed copy of itself back to its point of origin. Though the malware has since been distributed over the Internet while bearing HP's certificate, Wahlin noted that the Trojan was never shipped to HP customers as part of the software package.
“When people hear this, many will automatically assume we had some sort of compromise within our code signing infrastructure, and that is not the case,” Wahlin told Krebs. “We can show that we’ve never had a breach on our [certificate authority] and that our code-signing infrastructure is 100 percent intact.”