End of the Road for SHA-1?

sha-1SHA-1 or Secure Hashing Algorithm 1 was developed in 1993 by the National Security Agency (NSA).  It has been used to provide both hashing functions and digital signatures that validate that a certain document, web site, or other resource is genuine, original, and unchanged.

SHA-1 is used in common services such as SSL (secure websites) and TLS (secure email).  There has been discussion about the low security of SHA-1 going back to 2005.  In 2010 the National Institute for Standards and Technology has recommended that government agencies stop using SHA-1.  And in 2014, Google stated it would actively penalize websites still using SHA-1 in SSL certificates after 2016.  The reason is that the hash length is considered too short to be be absolutely secure.  The recommended upgrade path is to SHA-2 or SHA-3.

When I am performing vulnerability assessments for client companies, SHA-1 vulnerabilities show up often.  Upgrading would eliminate those vulnerabilities.  And now we have other reasons to move on from SHA-1 implementations.  Next year, Google, Microsoft, Apple, and Mozilla browsers will no longer accept SHA-1 connections.

  • Microsoft Internet Explorer and Edge: Starting on February 14, IE and Edge will not load any websites still using SHA-1, though users can still opt to continue to the website after seeing a warning message.
  • Google Chrome: At the end of January next year, with the release of version 56, Chrome will stop trusting any SHA-1 SSL certificate and will provide a security warning.
  • Mozilla Firefox: With the release of Firefox 51 in January, the browser will show an “untrusted connection” error warning for any site still using SHA-1.
  • Apple Safari: Apple is strongly suggesting sites to drop SHA-1 as soon as possible, and websites loaded in the Sierra version do not show the green padlock that indicates a trusted site.

If you are using a SHA-1 SSL certificate on your website, you will want to upgrade to something better as soon as possible, or risk running your visitors through the gauntlet of worrisome security warnings, not to mention lower Google page rank.  If you have manually created self-signed security certificates on your Windows computer network, you will need to go through the process of updating those certificates to SHA-2 or 3.

More information:

0

About the Author:

Cybersecurity guru to business owners in the St Paul, Minneapolis, and western Wisconsin area. Computer security and hacking have been a passion of mine since I entered the computer and networking business in 2000. In 2013 I completed a course of study and certification exam to become a Certified Ethical Hacker (CEH). In 2016 I was certified as a Certified Information Systems Security Professional (CISSP). As Senior Cybersecurity Engineer at Computer Integration Technologies, I help our clients experience high levels of computer security, network security, and web site security. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also provide Cybersecurity Awareness Training for clients and their employees. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. The views expressed on this Web site are mine alone and do not necessarily represent the views of my employer.

Add a Comment