Just in:
Sunshine’s Debut Features Leave Tech World Scratching Its Head // Infineon and HD Korea Shipbuilding & Offshore Engineering jointly develop ship electrification technology // Experience Ultimate Shopping Freedom at 4.4 Shopee Spree: Don’t Worry, Shop Shopee! // A Tightrope Saudi Walk Towards Net-Zero // French Leaders Gather for Interfaith Iftar Dinner // Simplified Business Moves for Al Reem Island Firms // Melco Style Presents “SANRIO CHARACTERS STUDIO CITY CARNIVAL” – Explore a SANRIO World of Unlimited Love and Cuteness // Emirati Aid Reaches Ukraine as Food Shortages Bite // Aid is at the core of Israel, Palestine struggle to control post-war Gaza // Digital Hub Unveiled: Xposure Launches Platform for Global Photography Community // First-Ever Fortune Innovation Forum Draws Top Global Leaders to Hong Kong, Promoting Agendas On Collective Cross-Sector Advancement // Following the Money Trail: US and UK Investigate $20 Billion in USDT Transfers Tied to Sanctioned Russian Exchange // Octa seeks to clarify Forex swap and swap-free accounts // Samsung Partners National Heritage Board to Bring a Slice of Singapore’s Cultural Heritage to Samsung The Frame TV // Saudi Arabia Unveils Green Financing Tool to Achieve Net-Zero Goals // TUMI Hosts Global Launch Event in Singapore to Unveil Women’s Asra Collection and Announce Global Ambassador, Mun Ka Young // Andertoons by Mark Anderson for Fri, 29 Mar 2024 // US reiterates concern over Kejriwal arrest, Cong accounts // U.S. Compliance Takes Center Stage at OKX Following Industry Jitters // German Job Market Resilience Bodes Well for Economic Recovery //
HomeBiz TechIt's the end of SHA-1 and I feel fine

It's the end of SHA-1 and I feel fine

1487989066 data stealing hand representing rookieai

When the National Security Agency (NSA) introduced Secure Hash Algorithm 1 (SHA-1) in 2002 as an approved cryptographic security algorithm it was practically unbreakable. That was a long, long time ago.

SHA-1

True, SHA-1 security has been broken, but then we’ve been planning on it being busted for years now.


Getty Images/iStockphoto

Since then, SHA-1 has been used in numerous secure applications. These include web Secure-Socket Layer (SSL) certificates, encrypted communications, and code revision control systems such as Git.

ADVERTISEMENT

But, even as it was being widely used, some SHA-1 implementations were being cracked. Experts soon realized it was only a matter of time before the core algorithm itself was busted. By January 2011, the National Institute of Standards and Technology (NIST) started discouraging SHA-1’s use.

Even earlier than NIST, Microsoft told its developers to plan on no longer using SHA-1 by Jan. 1, 2016. It wasn’t the only vendor to give up on SHA-1. Google began to deprecate SHA-1 support in web digital certificates in 2014.

In that same year, the OpenSSL Heartbleed zero day vulnerability made many websites reconsider using SHA-1. While Heartbleed didn’t crack SHA-1, it did encourage them to upgrade their security certificates to SHA-2.

SHA-2 uses SHA-1’s algorithm, but it uses different input and output sizes for far superior security. SHA-2 includes a series of SHA options designated by the size of the generated hash: SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, and SHA-512/256. NIST approved SHA-3, which uses a new algorithm, in 2015. However, there are few practical SHA-3 implementations. Thus, SHA-2 is the current popular secure algorithm.

By 2015, all the major browser companies, Mozilla with Firefox, Microsoft with Internet Explorer and Edge, and Google Chrome had announced plans to block “secure” web sites that used SHA-1-based certificates. True, some sites were still using out-dated security, but if you used an up-to-date browser you couldn’t use these sites. This caused Firefox, for a limited time, to reinstate SHA-1 support. Within the next few months, all the browser companies will require SHA-2.

So, while it’s very interesting that Google has announced the first SHA-1 collision, practically speaking it’s not as important as some people might have you believe. True, as Google points out, it’s to be hoped that “SHA-1 will finally convince the industry that it is urgent to move to safer alternatives such as SHA-256.” But are that many people using modern technology still using SHA-1?

By fall 2015, Netcraft said there were under a million websites still using SHA-1. In January 2017, Netcraft reported there were 1.8 billion websites total. There simply aren’t that many sites still using SHA-1.

Besides, as Matthew, a security consultant, pointed out on StackExchange: “Currently, given the specific collision method used, the impact is quite limited.” He continued, “the Google announcement mostly just confirms what had been suspected for a while — SHA-1 is vulnerable to collisions, just as MD5 was, but finding them requires a lot of effort, and most of the really high profile targets (such as generating CA certificates) have mitigation in place from the very similar MD5 collisions found previously. Experts have been advising moving from SHA-1 for a while now, and this advice still stands.”

As for other SHA uses, Peter Gutmann, a cryptography expert at the at the University of Auckland, New Zealand, wrote, “After sitting through an endless flood of headless-chicken messages … I thought I’d do a quick writeup about what this actually means. In short: Reports of SHA-1’s demise are considerably exaggerated.

Guttman continued, Google’s “presentation of the results is detailed and accurate, it’s the panicked misinterpretation of those results that are the problem. The only real-world problem isn’t with e-mail, SSL, SSH, IPsec, etc., etc. it’s with long-term document signing and certificates.”

In other words, while SHA-1 has indeed reached the end of the road, we’ve already set up the detour signs years ago. For those few people still using SHA-1, it’s time to move on. But most of us have already left SHA-1 behind in our rear-view mirrors.

Related Stories:

VIDEO: A 5-step plan for overhauling an organization’s cybersecurity

(via PCMag)

ADVERTISEMENT

ADVERTISEMENT
Just in:
U.S. Compliance Takes Center Stage at OKX Following Industry Jitters // Samsung Electronics Launches 2024 Neo QLED 8K, Neo QLED, and OLED Displays to Spark the AI Screen Era // New Nylon Constant Torque Hinge From Southco Provides Position Control In A Compact Package // A Tightrope Saudi Walk Towards Net-Zero // Aid is at the core of Israel, Palestine struggle to control post-war Gaza // Ingdan Announces 2023 Annual Results // Hong Kong Crypto Exchange Application Stalled by US Lawsuit // Simplified Business Moves for Al Reem Island Firms // Global Audience to Witness Thrill of Dubai World Cup // First-Ever Fortune Innovation Forum Draws Top Global Leaders to Hong Kong, Promoting Agendas On Collective Cross-Sector Advancement // US reiterates concern over Kejriwal arrest, Cong accounts // Andertoons by Mark Anderson for Fri, 29 Mar 2024 // Following the Money Trail: US and UK Investigate $20 Billion in USDT Transfers Tied to Sanctioned Russian Exchange // French Leaders Gather for Interfaith Iftar Dinner // Experience Ultimate Shopping Freedom at 4.4 Shopee Spree: Don’t Worry, Shop Shopee! // Octa seeks to clarify Forex swap and swap-free accounts // Sunshine’s Debut Features Leave Tech World Scratching Its Head // Melco Style Presents “SANRIO CHARACTERS STUDIO CITY CARNIVAL” – Explore a SANRIO World of Unlimited Love and Cuteness // Saudi Arabia Unveils Green Financing Tool to Achieve Net-Zero Goals // Universal Language for Healthcare: General Authority Embraces Global Coding System //