Cahoot's cert
Jon Ribbens
jon+ukcrypto at unequivocal.co.uk
Thu May 7 11:37:22 BST 2015
On Wed, May 06, 2015 at 11:48:06PM +0100, Melanie Dymond Harper wrote:
> > From: Jon Ribbens <jon+ukcrypto at unequivocal.co.uk>
> > The Chrome alert is because the certificate is using an SHA1 hash,
> > and as of fairly recently, Chrome has started to complain mildly about
> > this because it is considered weak but it is not completely broken.
>
> For once Chrome isn't complaining about this aspect, because while it is
> an SHA-1 cert, it expires in 2015 and thus isn't covered by Chrome's
> complaints about such certs -- they are distrusting SHA-1 certs (or
> certs involving a SHA-1 intermediate in their chain) which expire on or
> after 1/1/2016. This time it's complaining about something
> algorithm/cipher related, and I really wish they would be more explicit
> about exactly the problem was in each case; I have spent a significant
> amount of support time dealing with this sort of question lately...
For securebank.cahoot.com, the certificate expires 14th May 2016 so
SHA1 *is* what Chrome is complaining about. For www.cahoot.com, the
cryptography is particularly rubbish given that it's using MD5 and
RC4, but as you say the expiry is in 2015 and what Chrome is actually
complaining about is that the page mixes content from http and https
sources.
More information about the ukcrypto
mailing list