SHA-1 digital certificates are being shut down by browser vendors based on the findings of a group of security researchers from universities in France, Singapore and the Netherlands. Their paper, titled “Freestart Collision for Full SHA-1,” demonstrated how to gain access to encryption keys protected by SHA-1.

The researchers estimated that $120,000 could rent enough computing power to compromise encryption keys protected by a SHA-1 certificate. Once these encryption keys have been compromised, a malicious actor would have the ability to steal data being sent over the network, including user IDs and passwords, credit card numbers and any other information.

The Challenge With SHA-1 Digital Certificates

Most consumers using a browser don’t know whether they are accessing a website with an unsafe SHA-1 certificate. As such, browser vendors are taking it upon themselves to sunset support for any site with SHA-1 digital certificates.

Microsoft recently published an update to its SHA-1 deprecation road map. Starting this summer, Microsoft Internet Explorer and Edge will be removing the address bar lock icon for websites using SHA-1 digital certificates. Microsoft went on to say it intends to completely block access to websites using SHA-1 digital certificates by February 2017.

Firefox, Chrome and other vendors have made similar announcements. In fact, Chrome already displays an error message when it encounters a SHA-1 certificate.

Why Are We Seeing a Lot of Press Around Encryption Problems?

The information security industry has been relying on old encryption standards that date back to the 1990s. At the time, these standards were considered safe enough; only nation-state attackers would have had the computing power or technology capable of performing a brute-force attack. Today, technology has drastically improved processing power and capabilities, rendering these old standards inadequate.

The SHA-1 digital certificate is a subset of the Transport Layer Security (TLS) 1.0 specification. This security standard is becoming increasingly outdated as security researchers continue to demonstrate its weaknesses.

Every business should consider moving to newer encryption standards to avoid the risk of a data breach. Some risks and recommendations were highlighted in the recent IBM report “Outdated Encryption Standards Pose a Serious Risk of Data Breach.”

What Steps Should a Business Take to Mitigate Risks?

It is imperative that websites that still rely on SHA-1 digital certificates move to SHA-2. Using SHA-1 digital certificates also implies that the organization is leveraging other old encryption standards within TLS 1.0. As such, it is essential for security professionals to review information and recommendations for both short- and long-term strategies for moving to the modernized encryption standards available in the TLS 1.2 protocol.

More from Software Vulnerabilities

X-Force discovers new vulnerabilities in smart treadmill

7 min read - This research was made possible thanks to contributions from Joshua¬†Merrill. Smart gym equipment is seeing rapid growth in the fitness industry, enabling users to follow customized workouts, stream entertainment on the built-in display, and conveniently track their progress. With the multitude of features available on these internet-connected machines, a group of researchers at IBM X-Force Red considered whether user data was secure and, more importantly, whether there was any risk to the physical safety of users. One of the most…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

MSMQ QueueJumper (RCE Vulnerability): An in-depth technical analysis

13 min read - The security updates released by Microsoft on April 11, 2023, addressed over 90 individual vulnerabilities. Of particular note was CVE-2023-21554, dubbed QueueJumper, a remote code execution vulnerability affecting the Microsoft Message Queueing (MSMQ) service. MSMQ is an optional Windows component that enables applications to exchange messages via message queues that are reachable both locally and remotely. This analysis was performed in collaboration with the Randori and X-Force Adversary Services teams, by Valentina Palmiotti, Fabius Watson, and Aaron Portnoy. Research motivations…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today