Time to Transition from Vulnerable SHA-1
Secure Hash Algorithm – 1 (SHA-1) is outdated and insecure. It is vulnerable to attacks. Most IT majors such as Google, Microsoft, Apple and IT security companies have emphasized on migrating to the more secure SHA-2 or SHA-3. But the fact remains that millions of websites have not yet heeded the warning and are still sticking onto the SHA-1 cryptographic hash algorithm.
The deadline for migration has passed. The depreciation or sunsetting of SHA-1 has commenced and Google’s Chrome would not display a”fully trustworthy” notification for these websites. Microsoft would now treat SHA-1 as an untrusted certificate. And all other browsers will implement similar measures.
In 2011, the CA/Browser Forum had recommended that all Certificate Authorities (CAs) should transition from SHA-1 as soon as possible, as SHA-1 did not meet the baseline requirements for SSL. Notably, in 2010, NIST had deprecated SHA-1 for government use.
Google researchers demonstrated a real-world collision attack in collaboration with the CWI Institute in Amsterdam. Though this exercise took a long time and significant resources to enact, it is possible that hackers would be able to replicate the same attacks.
- Web sites will suffer if they do not transition immediately.
- Browsers will display warnings
- Website visitors will not transact in untrusted websites
- Business would suffer
- HTTPS notice in the address bar will appear as “unsecure”
- The website will become slow
- Further on, browsers will block SHA-1 websites
- Man in the middle (MitM) attacks can take place on SSL/TLS connections.
How to Stay Secure: Recommendations
- Organizations must immediately transition to higher than SHA-1
- They must secure not only their public-facing website but also their private networks
- Install/subscribe to an SSL certificate management system
- Secure with appropriate SSL certificates
- Obtain SSL certificates only from reputed Certificate Authorities
Organizations must learn from the deadly cyber attacks that have taken place – such as the Heartbleed attack. The Heartbleed Bug was a serious vulnerability that allows stealing of information protected by the SSL/TLS encryption. The bug was an exploit of a vulnerability in OpenSSL cryptographic software library. It demonstrated the importance of cryptography and the need for automation for better website security.
For organizations, any further delay in transitioning from SHA-1 is not recommended. The repercussions are severe and may lead to a long-term business loss for the organizations.