Doing these properly in a continuous manner is extremely complex given all the dependencies in current distributed systems - where we start turning on encryption in more places where we don't have full control.
Doing a bit of a look back on the SHA-1 deprecation topic, I found these advisory services that have provided early warnings:
- Google Developers Feed - e.g.: Deprecation for SHA-1
- Google Security Blog - e.g.: SHA-1 sunsetting article in 2014
- Apple Developer Forum - e.g.: SHA-1 deprecation
- Microsoft Security Advisories. e.g.: Deprecation of SHA-1 Hashing Algorithm for Microsoft Root Certificate Program and Windows Enforcement of SHA1 Certificates
And on more generic crypto blogs:
- Schneier blog. e.g. "SHA-1 is broken"
- SSL Labs - e.g. SHA-1 deprecation
- (this list could explode easily)
So there will still be more patching to deprecate SHA-1 so for those of you that haven't looked into this issue, don't wait to investigate!
No comments:
Post a Comment