Noseyparker - 21 July

Most of today was spent implementing a TLS connection event handler for certificates using the SHA-1 signature algorithm whose an expiry date during or after the Google Chrome sunset period. Google and other online service providers have been pushing to phase out the SHA-1 algorithm due to weaknesses. See Chromium blog post.

The signature algorithm is used to hash the content creating a "message digest". The digest is used to provide message integrity i.e. detect tampering. The digest is also signed with the sessions private-key to produce a HMAC, allowing the receiver to verify the who signed it (using the session public key and some mathematical magic).

Comments

Extra content ...

Note, this task wasn't listed in my project objectives, however I was working on other TLS handshake issues and this wasn't too difficult to implement. Unfortunately nogotofail doesn't appear to provide hooks into app unencrypted HTTPS traffic i.e. traffic before encryption and after decryption. I spent the rest of today investigating how this functionality could be added.