SHA-1 Attacks On Upswing – Expert Comments

According to new research, attacks on the SHA-1 hashing algorithm just got a lot more dangerous with the discovery of a cheaper, more practical version of SHA-1 collision attacks. Hashing algorithms are used to compute the keys used in public key encryption which is essential to the security of nearly every web transaction.

Although the industry has been trying to move away from SHA-1 for years, Venafi has found more than 6 million SHA-1 certificates still in use on public facing websites.

Subscribe
Notify of
guest
1 Expert Comment
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
Hari Nair
Hari Nair , Director of Product Management
InfoSec Expert
January 10, 2020 3:03 pm

SHA-1 usage is one more indication that most organization aren’t putting enough emphasis on protecting the keys and certificates that serve as machine identities:

SHA-1 was first tagged as weak and vulnerable back in 2005. As of January 2015, public certificate authorities were forbidden from issuing SHA-1 certs that expired after December 2016. Since 2017, the most popular web browsers have been preventing and discouraging SHA-1 use by warning users/consumers of ‘invalid certificates.’

Despite all of these efforts, we still see SHA-1 certificates deployed. The main reasons are because there are apps that still cannot support newer or stronger algorithms. In other cases, like IoT or edge-computing, resource constraints prevent the use of stronger cryptography.

This new research is a reminder that this issue is not going to go away. As long as computing power continues to grow exponentially, algorithms will weaken and decay over time, this is a given. Quantum computing promises even more disruption in the future.

Last edited 2 years ago by Hari Nair
Information Security Buzz
1
0
Would love your thoughts, please comment.x
()
x