193 Lotus blogs updated hourly. Who will post next? Home | Blogs | Search | About 
 
Latest 7 Posts
Exit Stage Left
Wed, Oct 5th 2016 4
My Two Big Questions Heading in to IBM Connect 2016
Wed, Jan 27th 2016 4
Speaking at IBM Connect
Tue, Jan 26th 2016 8
IBM Champion.. Again
Tue, Nov 24th 2015 6
IBM Connections Cloud Meetings Get a New Look and Audio/Video
Mon, Jun 22nd 2015 7
Why I still have faith in LastPass
Tue, Jun 16th 2015 8
The 2015 Lotusphere Closing Ceremony
Wed, Feb 4th 2015 4
Top 10
Adding Two Factor Authentication to IBM Connections Cloud
Tue, Feb 3rd 2015 10
Why I still have faith in LastPass
Tue, Jun 16th 2015 8
Speaking at IBM Connect
Tue, Jan 26th 2016 8
IBM Connections Cloud Meetings Get a New Look and Audio/Video
Mon, Jun 22nd 2015 7
The 2014 Lotusphere Closing Ceremony
Thu, Feb 6th 2014 6
IBM SmartCloud rebranding to IBM Connections Cloud
Wed, Sep 3rd 2014 6
IBM Champion.. Again
Tue, Nov 24th 2015 6
IBM ConnectED 2015 Call for Abstracts is now open
Tue, Sep 16th 2014 5
IBM Updates on SHA-2 and POODLE
Tue, Oct 21st 2014 5
IBM Connect 2014 By the Numbers
Thu, Feb 6th 2014 4


IBM Domino , Google, and SHA-1
Twitter Google+ Facebook LinkedIn Addthis Email Gmail Flipboard Reddit Tumblr WhatsApp StumbleUpon Yammer Evernote Delicious
Mitch Cohen    

There is a lot of talk these days about Google’s decision to accelerate the deprecation of SHA-1, and IBM Domino’s lack of support for SHA-2 .  Right off lets get this straight IBM absolutely should have plans to add SHA-2 support in Domino and an implementation date should be communicated ASAP.  At the same time the pressure should really be on Google to back down from what is an arbitrary deadline they announced out of the blue, and to support the previously announced 2017 date for the deprecation of SHA-1.

While it is easy to blame IBM here (and again IBM needs to communicate a date they will support SHA-2 in Domino) the immediate deprecation by Google is an arbitrary move that does not have a lot of support.

Some facts

  • Microsoft previously announced their plans to deprecate SHA-1 in 2017
  • Currently 92% of certificates on the Internet are SHA-1 signed
  • Google then decided to begin deprecating SHA-1 in November of this year
  • SHA-1 has not been compromised or hacked
  • Google as an Intermediate CA is issuing them with SHA-1 (but their deprecation policy exempts their own certificates)

 

Here is a statement from the CA Security Council 

Although the CA Security Council (CASC), comprised of the seven largest Certificate Authorities, supports migration to SHA-2, members are concerned about the impact on website users and administrators alike. Considering many users may still use software lacking SHA-2 support, primarily Windows XP SP2, and the still unknown impact on a complete SHA-1 migration, this 12 week timeline is aggressive. In addition, many devices still lack SHA-2 support, making necessary possibly unplanned and expensive upgrades.

With fall shopping season nearly here, this policy may be particularly concerning for small internet stores, which could be impacted just before the holiday rush. Because many large sites have lockdown periods leading up to the end of the year, companies that have not transitioned may find themselves restricted from making the move until January, or beyond, due to lack of SHA-2 support. Although a migration to SHA-2 is necessary as computing power increases, because of the significant impact in migration and the lack of a practical attack until 2018, the CASC members recommends thetimelines announced by Microsoft in November 2013, which deprecate SHA-1 in code signing certificates by January 1, 2016 and in SSL certificates by January 1, 2017.

If you want a clear explanation on all this, listen to what Steve Gibson has to say about it on Security Now (If it does not begin there automatically pick up the podcast at 48:37 for the SHA-1 discussion)



---------------------
http://www.curiousmitch.com/2014/09/ibm-domino-google-and-sha-1/
Sep 23, 2014
3 hits



Recent Blog Posts
4
Exit Stage Left
Wed, Oct 5th 2016 10:53a   Mitch Cohen
Nominations are open for the class of 2017 IBM Champions for IBM Collaboration Solutions. My current work has taken me in a different direction, and I have spent very little time this past year in the IBM space.  I do miss it a little, but I’ve been enjoying new challenges and learning new things. I do miss blogging here. It’s not for lack of ideas, but mostly due to lack of time of late. I would love to make some updates to this site and post a little more often. Hopefully I can fi




Created and Maintained by Yancy Lent - About - Planet Lotus Blog - Advertising - Mobile Edition