I ran into this article:
Does this mean there will be a problem for all SHA-256 encryption? Thinking of Letsencrypt certs here, or do those certs use another hash (level)?
I ran into this article:
Does this mean there will be a problem for all SHA-256 encryption? Thinking of Letsencrypt certs here, or do those certs use another hash (level)?
It is a little disturbing to say the least for those Letencrypt certs but the implications actually is a lot more wider.
Assuming they are telling the truth, the security community needs to kick into high gear of getting everyone to bump the security of the SSL Certs and other TLS related services to the next level.
It also begs the even more scarier question, if Treadwell Stanton DuPont managed to do it and kept quiet about it for the better part of the past year, who else has managed to crack it and use and abuse it without telling anyone or without anyone noticing or suspecting anything and also for how long?
I agree it is âdisturbingâ but maybe it should be taken with a grain of salt. It is the only resource I could find on this subject and looking at the rest of that site, itâs all about bitcoin/crypto currency. There is a LOT of ânoiseâ around those crypto currencies. So if it is true? I donât know.
reading and searching further it looks more like a hoax⌠(as in: I canât find any other sources)
SHA-256 is a hashing algorithm, not an encryption algorithm. If it has indeed been broken*, this means that certificates (from every CA, not just Letâs Encrypt) may be vulnerable to forgery, though certificate transparency and OCSP stapling should mitigate that risk significantly. However, it doesnât affect the actual encrypted communications at all, as the encryption is done with completely different algorithms.
Iâve raised the issue on the Letâs Encrypt commuity:
*âŚand Iâm skeptical of thisâthe release is âweâve broken it, but we arenât going to tell anyone how we did it.â This means youâre pretty well stuck taking their word for it.
You could be correct about it being a hoax as there does not appear to be anything out there to confirm or support or even refute their statement
Yes that is also concerning, just gotta take their word for it, it has to be verified somehow. But I do understand their concern that, if what they say is true, they donât want the method(s) they used to end up in the wild to be abused
Trueâbut even if they didnât disclose their method (which they should), they could at least independently prove that they have the capability. âHere are 100 SHA-256 hashesâgenerate collisions for them.â
I agree with @danb35. If Treadwell Stanton DuPont cannot prove in any way that claims are correct, itâs only a declaration.