It Is 2019, and ESPN Still Doesn’t Give a S— About Its Users’ Security

Why the f— is ESPN still not using TLS in 2019? This is extremely irresponsible behavior from a company owned by one of the largest media companies in the world (Disney). There are zero excuses for putting its users at risk this way.

Mozilla’s Cartoon Intro to DNS over HTTPS

Mozilla’s Lin Clark has a cartoon guide to DNS over HTTPS that . . . well . . . bottom line, there is no way to talk about DNS over HTTPS without getting fairly technical (one of the subheads on Lin’s lengthy pice is “What isn’t fixed by TRR with DoH?”) but this is probably as close as anyone is going to get.

A cartoon intro to DNS over HTTPS
A cartoon intro to DNS over HTTPS

Mozilla/Microsoft Consider Accelerating Timetable for Blocking SHA-1 Certs

In a recent blog post, Microsoft said it may follow Mozilla in accelerating its timetable for blocking SHA-1 signed TLS certs.

Mozilla, Microsoft and Google have all announced plans to block SHA-1 signed certs beginning in 2017, but the cost and time to create SHA-1 collisions just keeps plunging.

In light of recent advances in attacks on the SHA-1 algorithm, we are now considering an accelerated timeline to deprecate SHA-1 signed TLS certificates as early as June 2016.

In an October blog post, Mozilla said it was considering a July 1, 2016 date for blocking SHA-1 signed certs,

We are re-evaluating when we should start rejecting all SHA-1 SSL certificates (regardless of when they were issued).  As we said before, the current plan is to make this change on January 1, 2017.  However, in light of recent attacks on SHA-1, we are also considering the feasibility of having a cut-off date as early as July 1, 2016.

Both Mozilla and Microsoft are spooked by this report that found,

Concretely, we estimate the SHA-1 collision cost today (i.e., Fall 2015) between 75K$ and 120K$ renting Amazon EC2 cloud computing over a few months. By contrast, security expert Bruce Schneier previously projected (based on calculations from Jesse Walker) the SHA-1 collision cost to be ~173K$ by 2018. Note that he deems this to be within the resources of a criminal syndicate. Large corporations and governments may possess even greater resources and may not require Amazon EC2. Microsoft, Google and Mozilla have all announced that their respective browsers will stop accepting SHA-1 based SSL certificates by 2017 (and that SHA-1-based certificates should not be issued after 2015). In conclusion, our estimates imply SHA-1 collisions to be now (Fall 2015) within the resources of criminal syndicates, two years earlier than previously expected and one year before SHA-1 will be marked as unsafe in modern Internet browsers. This motivates our recommendations for industry standard SHA-1 to be retracted as soon as possible. With our new cost projections in mind, we strongly and urgently recommend against a recent proposal to extend the issuance of SHA-1 certificates with a year in the CAB/forum (discussion closes October 9 2015, vote closes October 16).