I’m very excited to announce the launch of AM I SHA-1 – the SHA-1 Checkinator. This is a site that I have been working on for a few months off and on. Ever since Google announced that they were going to sunset support for SHA-1 support in Chrome, I felt that it would be cool to have an easy site to check your SSL/TLS certs. It isn’t difficult to check your certificates yourself, but not everyone is able to analyze their own certificates and understand the context under which they need to act to upgrade their certificates before the end of 2016. The tool/site I made takes a URL and downloads and parses the certificates for a site, and then helps you determine what action if any is required on your certificates. I realize that there are several tools out there that check for this already, but most of these are bundled into more extensive tests and the tests often take a long time to run. My goal with this site, was to be lean and quick so I focused on just checking for the presence of SHA-1 signatures in chain and leaf certificates. Plus it was a great learning experience.
I’m new here, what does that mean?
So SSL/TLS are what help secure your communications online. It is the lock at the top when you visit your bank’s website. There are many complexities to how SSL/TLS works, but in the context of this conversation. When you go to your banks website, your browser checks to make sure that you are talking to the bank and not someone else who is pretending to be the bank. One of the things that your browser does is check the digital signature of the chain(intermediate verifiers) and leaf(your bank’s) certificate. Digital signatures serve the same purpose that written signatures serve, they allow you to check that someone who is asserting their identity is who they say they are. In the context of certificates, a third party that your browser trusts verifies that your bank is who they say they are and sign some information that the bank sends to you when you connect to the banks site. After connecting your browser downloads that signed information and verifies the signature. In the real world verifying a signature is not really fool proof, but often times it is good enough. In the crypto world verifying a signature is actually pretty fool proof as long as the math is solid.
Ok, so is the math solid?
This is where the SHA-1 part comes in. Attacks on the signature of a certificate are kind of like going fishing in a fished out pond. You have to do a lot of fishing to get a bite. SHA-1 is a cryptographic hashing function that is used as part of the signature. Perhaps the best way to discuss this is to talk about the transition to SHA-1. We used to use a hashing function called MD5 for signatures. Why don’t we use it anymore? This is the sequence of events. Someone in the math/crypto community claimed that MD5 was broken, meaning that someone could theoretically mint fraudulent certificates. The security community looked at his work and said, that it looked interesting but wasn’t practical and therefore wouldn’t happen any time in the foreseeable future. Then someone proved that wrong by creating a fake certificate. Then we moved to SHA-1. Since we moved to SHA-1 the reliance on SSL/TLS certificates in our daily lives has increased quite a bit and most of the web currently uses SHA-1 certificates in one way or another(~70-80%). With SHA-1 already being declared theoretically broken, the speculation is that perhaps someone has also broken it in practice, and that is why we are having to move to SHA-256 at, relatively breakneck speed.
My thoughts on the project
It was great to get back into HTML, CSS and, PHP. I have used OpenSSL within other projects and it constantly amazes me how it can come in handy. This was my first time using it programmatically.
Picking the right language
To some extent I underwent this project to understand how to interact with SSL/TLS within a programming language. I initially started with PHP, but I got to a certain point where I felt like there was a certain lack of elegance in what I was trying to do, so I set out and looked at some other options. I took a look at Python 2.x first and had some success, but the openssl implementation within that branch of Python leaves me wanting. There was a patch that had been submitted to the Python community that would solve the issue I was having, but it hadn’t been merged into the main release and didn’t look like it would any time soon. I was not about to custom compile my own version of python for this project, though I considered it! I also looked into Ruby, and actually had a lot of success writing something very elegant in it. But I haven’t had my brain broken enough by rails and I didn’t need to talk to a database anyway. I also looked into Sinatra, which allows you to write Ruby without Rails. Honestly I just couldn’t get it to work. I ended up coming back to PHP and after having seen the problem from a bunch of different perspectives, and then made some great progress with PHP.
Fighting scope creep.
There are several things that the site doesn’t do. It doesn’t actually check to see if you have valid certificates. The site may at some point do this, it wouldn’t be to hard to do, but it doesn’t at this point. The certificate doesn’t need to be valid for you to check whether you need to re-issue because of SHA-1 being present in the chain. Test results don’t show the root certificate. This is actually why it took me so long to launch the site. I really wanted to find a good way to handle getting the root certificate, because most servers serve the chain certificates and leaf certificate but not the root certificate. It is actually not a best practice to serve the root certificate, as it is a waste of bits. It is also not necessary for the client to download it to verify, because the client already has it in its store. I actually tried to find a way to determine the root certificate in an easy way, when it isn’t served(i.e. all the time) and really couldn’t find an obvious one, without doing a ton of cryptographic operations. In the end, I didn’t implement either because they are not required by the project and I think it would have slowed the test down quite a bit.
Ask anyone I’ve worked with, I’m a bit picky when it comes to user interface. I hate to put out stuff that looks like crap. I decided to mess around with Twitter’s Bootstrap. It was a very easy way to make something structured and lightweight and not terrible looking. And it works seamlessly on a mobile device.
Open Source and beyond?
So I’m an IT person by trade, not a programmer. Right now my code is kind of full of spaghetti. But I have been thinking of cleaning it up and releasing it as FOSS on Github. Leave me a comment about that or anything else constructive about how I could make this project better! Thanks for stopping by.