Linux User Group of Mauritius Promoting open source software in our beautiful island

27Dec/150

Tell your SSL vendor to randomize the serial number of your certificate !

Posted by logan

Are you using SSL for your business ?

Like many of you, we rely on SSL for checking our mails, and doing bank transfers. As I said previously, local banks reduce the amount of money spent of papers by actively encouraging clients to use Internet Banking. I have the latest Android on my mobile phone, and I can connect to Internet Banking using the latest security technologies. However, not everybody can afford the latest android smartphone. A lot of people are still using Android KitKat in Mauritius. If tomorrow, MCB or SBM decide to deprecate SHA-1 for their SSL (a hash algorithm which is getting dangerously weak), and go with SHA 256 (a more secure hash algorithm) only, a lot of clients might not be able to connect to Internet Banking. Why ? It's because many widely-used software do not support SHA-256 very well.

What can we do with certificates with SHA-1 hash ?

CloudFlare proposed here that generating certificates containing SHA-1 hash should randomize the serial number to make it more difficult to forge those digital certificate and impersonate your business. Note that this does not mean that you should not advise your clients to upgrade their hardware and software and relax. It buys your clients more time to properly budget for their upgrade costs of their hardware and software to be SHA 256 ready.

For example, hackers.mu uses SSL. We asked on our SSL vendor forum about randomizing the serial number. We recommend to Banks such as MCB and SBM to ask their SSL vendors about the possibility of randomizing the serial number, with 20-bit entropy. Any other businesses that rely on SSL for their business should consider formulating the same request to their SSL vendors. If your SSL vendor flatly refuses, then you have a reasonable argument for moving to another SSL vendor.

Filed under: tls No Comments