en English
X

Select Language

Powered by Google TranslateTranslate

We hope you will find the Google translation service helpful, but we don’t promise that Google’s translation will be accurate or complete. You should not rely on Google’s translation. English is the official language of our site.

en English
X

Select Language

Powered by Google TranslateTranslate

We hope you will find the Google translation service helpful, but we don’t promise that Google’s translation will be accurate or complete. You should not rely on Google’s translation. English is the official language of our site.

Encrypt As We Say, Not As We Do: The NSA and SHA-1 Certs

As Bruce Schneier and others have reported, your friends at the National Security Agency’s Information Assurance Directorate (IAD) recently issued a FAQ regarding their new Commercial National Security Algorithm Suite, intended to futureproof national security systems against the looming threat of quantum computing. Among their recommendations is the use of SHA-384 to sign certificates (a step up from SHA-2, the current industry standard ).

One small issue with the IAD’s link to their FAQ – it throws this message when clicked:

IAD_SOL
A quick check at SSLShopper shows that the certificate for iad.gov uses an obsolete (and dangerous) SHA-1 signature, and apparently has a broken chain of trust to boot – problems serious enough to get red-flagged by all modern browsers.

Further proof, we guess, that security is tough to get perfect – even when you’re a branch of the NSA.

The (insecure-as-of-this-writing) link to the IAD FAQ is here – use at your own risk.

Subscribe to SSL.com’s Newsletter

Don’t miss new articles and updates from SSL.com