Google has announced that its Chrome browser will stop supporting SHA-1 certificates by 2017. Google hasn’t had confidence in SHA-1’s — the algorithm used for encryption by most SSL certificates, which add the “s” to https:// — ability to keep your information safe for a long time.
Prof. Michael Scott, Chief Cryptographer and Co-Founder of MIRACL explains:
“SHA-1 has been holed beneath the water-line for years, and has been slowly sinking ever since.
However the security industry has displayed its astonishing capacity for lethargy by essentially doing nothing about it. The only way to get these people to act is to provoke a crisis, which is what Google has done. So now we get a headless chicken response. A kind of combination of a “if it ain’t broke don’t fix it” attitude combined with ostrich like head-in-the-sand. And to complete the bird analogies, yes, SHA-1 is indeed a turkey.
Given the importance of internet security, the immaturity and timidity of the security industry never ceases to amaze me.
Users of SHA-1 should have migrated years ago to the long established SHA-2 standards. These are fine, and have no known weaknesses. However the cryptographic community, who are no slouches, have already come up with and standardized a more flexible and modern replacement for SHA-2, unsurprisingly called SHA-3.
But if companies haven’t already switched from SHA-1 to SHA-2, what are the chances of them ever adopting SHA-3? If the automobile industry adopted the same approach we would still all be driving Volkswagen Beetles. Don’t get me started!”