According to new research, attacks on the SHA-1 hashing algorithm just got a lot more dangerous with the discovery of a cheaper, more practical version of SHA-1 collision attacks. Hashing algorithms are used to compute the keys used in public key encryption which is essential to the security of nearly every web transaction.
Although the industry has been trying to move away from SHA-1 for years, Venafi has found more than 6 million SHA-1 certificates still in use on public facing websites.
SHA-1 usage is one more indication that most organization aren’t putting enough emphasis on protecting the keys and certificates that serve as machine identities:
SHA-1 was first tagged as weak and vulnerable back in 2005. As of January 2015, public certificate authorities were forbidden from issuing SHA-1 certs that expired after December 2016. Since 2017, the most popular web browsers have been preventing and discouraging SHA-1 use by warning users/consumers of ‘invalid certificates.’
Despite all of these efforts, we still see SHA-1 certificates deployed. The main reasons are because there are apps that still cannot support newer or stronger algorithms. In other cases, like IoT or edge-computing, resource constraints prevent the use of stronger cryptography.
This new research is a reminder that this issue is not going to go away. As long as computing power continues to grow exponentially, algorithms will weaken and decay over time, this is a given. Quantum computing promises even more disruption in the future.