Time to Transition from Vulnerable SHA-1

Secure Hash Algorithm – 1 (SHA-1) is outdated and insecure.

It is vulnerable to attacks. Most IT majors such as Google, Microsoft, Apple, and IT security companies have emphasized on migrating to the more secure SHA-2 or SHA-3. But the fact remains that millions of websites have not yet heeded the warning and are still sticking onto the SHA-1 cryptographic hash algorithm.

The deadline for migration has passed. The depreciation or sunsetting of SHA-1 has commenced and Google’s Chrome would not display a ”fully trustworthy” notification for these websites. Microsoft would now treat SHA-1 as an untrusted certificate. And all other browsers will implement similar measures.

In 2011, the CA/Browser Forum had recommended that all Certificate Authorities (CAs) should transition from SHA-1 as soon as possible, as SHA-1 did not meet the baseline requirements for SSL. Notably, in 2010, NIST had deprecated SHA-1 for government use.

Google researchers demonstrated a real-world collision attack in collaboration with the CWI Institute in Amsterdam. Though this exercise took a long time and significant resources to enact, it is possible that hackers would be able to replicate the same attacks.

Repercussions

  • Web sites will suffer if they do not transition immediately.
  • Browsers will display warnings
  • Website visitors will not transact in untrusted websites
  • Business would suffer
  • HTTPS notice in the address bar will appear as “insecure”
  • The website will become slow
  • Further on, browsers will block SHA-1 websites
  • Man in the middle (MitM) attacks can take place on SSL/TLS connections.

How to Stay Secure: Recommendations

  • Organizations must immediately transition to higher than SHA-1
  • They must secure not only their public-facing website but also their private networks
  • Install/subscribe to an SSL certificate management system
  • Secure with appropriate SSL certificates
  • Obtain SSL certificates only from reputed Certificate Authorities

Organizations must learn from the deadly cyber attacks that have taken place – such as the Heartbleed attack. The Heartbleed Bug was a serious vulnerability that allows stealing of information protected by the SSL/TLS encryption. The bug was an exploit of a vulnerability in the OpenSSL cryptographic software library. It demonstrated the importance of cryptography and the need for automation for better website security.

For organizations, any further delay in transitioning from SHA-1 is not recommended. The repercussions are severe and may lead to a long-term business loss for the organizations.