漏洞类别:General remote services
漏洞等级: 
漏洞信息
Hash algorithms are used to generate a hash value for a message (an arbitrary block of data) such that a number of cryptographic properties hold. In particular it is expected to be resistant to collisions, that is that given a message m, it is difficult to compute a second message m' such that both have the same hash value.
Hash algorithms are used in many cryptographic applications. In particular, they are used in order to sign X.509 certificates used to verify identity in a variety of applications, including SSL communications.
SHA1 has been deprecated for certificate signatures. In 2017, all browsers will stop trusting web sites that continue to use this weak hash function for signatures.
漏洞危害
An attacker may create a pair of X.509 certificates with differing information which share the same signature. If one of the certificates is signed, the signature may be used for the second certificate as well. It is possible to exploit this issue to gain a signed certificate for an identity the attacker does not control, or to gain a signed certificate as an intermediary signing authority. In the second case, the attacker will be able to sign additional, arbitrary certificates which will be trusted by any party trusting the original, legitimate authority.
An attacker is most likely to exploit this issue to conduct phishing attacks or to impersonate legitimate Web sites by taking advantage of malicious certificates. Other attacks are likely to be possible.
解决方案
Workaround:
If the certificate is signed using SHA1 hash function then a new certificate should be obtained which uses a more collision proof hashing algorithm such as SHA-256
0day
文章评论