*** für Administratoren ***

 

We would like to point to a looming shortage in the configuration of many servers in the RWTH. It is about the settings for secure access to the Web, specifically the shortcomings of many certificates and outdated protocols. The hash algorithm SHA-1 is no longer considered secure enough. Therefore, certificates that still use SHA-1 are no longer considered reliable. Google has now begun to mark websites that use certificates with SHA-1 as no longer entirely reliable in new versions of the Chrome browser [1] [2]. This in turn may lead to uncertainty among our users. For this reason, we will exchange the IT Center certificates in the coming weeks and months. You are invited to bring your certificates and up to date too. Of course, this also applies to certificates in the context of other services. There are websites that help you to check if your server uses SHA-1 [3]. For more information you may visit for example osxdaily [4].

The second problem relates to SSLv3. Meanwhile, all current browsers work fine with the newer TLS protocols. The SSL protocols are outdated and have security vulnerabilities. For this reason, we turn SSL off completely on the servers of the IT Center and offer only TLS to access our services. We will not be able to change all the servers immediately, but we switch depending on the urgency and expected side effects. You can find instructions for testing the susceptibility and to switch off SSL in the web [6][8].

I would like to thank those who helped gather and evaluate the information. I would particularly like to mention Jens Hector, Bernd Kohler, Ekaterina Papachristou and Peter Steves.

Guido Bunsen
IT Manager Security im IT Center der RWTH

Sources:

[1] http://blog.chromium.org/2014/09/gradually-sunsetting-sha-1.html

[2] https://konklone.com/post/why-google-is-hurrying-the-web-to-kill-sha-1

[3] https://shaaaaaaaaaaaaa.com/

[4] http://osxdaily.com/2012/02/09/verify-sha1-hash-with-openssl/

[5] http://arstechnica.com/security/2012/10/sha1-crypto-algorithm-could-fall-by-2018/

[6] http://www.heinlein-support.de/blog/security/deaktivieren-sie-sslv3-apachepostfixdovecot-poodle-bug/

[7] http://www.heise.de/security/meldung/So-wehren-Sie-Poodle-Angriffe-ab-2424327.html

[8] https://www.ssllabs.com/ssltest/