SHA-1 digital certificates are being shut down by browser vendors based on the findings of a group of security researchers from universities in France, Singapore and the Netherlands. Their paper, titled “Freestart Collision for Full SHA-1,” demonstrated how to gain access to encryption keys protected by SHA-1.

The researchers estimated that $120,000 could rent enough computing power to compromise encryption keys protected by a SHA-1 certificate. Once these encryption keys have been compromised, a malicious actor would have the ability to steal data being sent over the network, including user IDs and passwords, credit card numbers and any other information.

The Challenge With SHA-1 Digital Certificates

Most consumers using a browser don’t know whether they are accessing a website with an unsafe SHA-1 certificate. As such, browser vendors are taking it upon themselves to sunset support for any site with SHA-1 digital certificates.

Microsoft recently published an update to its SHA-1 deprecation road map. Starting this summer, Microsoft Internet Explorer and Edge will be removing the address bar lock icon for websites using SHA-1 digital certificates. Microsoft went on to say it intends to completely block access to websites using SHA-1 digital certificates by February 2017.

Firefox, Chrome and other vendors have made similar announcements. In fact, Chrome already displays an error message when it encounters a SHA-1 certificate.

Why Are We Seeing a Lot of Press Around Encryption Problems?

The information security industry has been relying on old encryption standards that date back to the 1990s. At the time, these standards were considered safe enough; only nation-state attackers would have had the computing power or technology capable of performing a brute-force attack. Today, technology has drastically improved processing power and capabilities, rendering these old standards inadequate.

The SHA-1 digital certificate is a subset of the Transport Layer Security (TLS) 1.0 specification. This security standard is becoming increasingly outdated as security researchers continue to demonstrate its weaknesses.

Every business should consider moving to newer encryption standards to avoid the risk of a data breach. Some risks and recommendations were highlighted in the recent IBM report “Outdated Encryption Standards Pose a Serious Risk of Data Breach.”

What Steps Should a Business Take to Mitigate Risks?

It is imperative that websites that still rely on SHA-1 digital certificates move to SHA-2. Using SHA-1 digital certificates also implies that the organization is leveraging other old encryption standards within TLS 1.0. As such, it is essential for security professionals to review information and recommendations for both short- and long-term strategies for moving to the modernized encryption standards available in the TLS 1.2 protocol.

More from Software Vulnerabilities

Dissecting and Exploiting TCP/IP RCE Vulnerability “EvilESP”

September’s Patch Tuesday unveiled a critical remote vulnerability in tcpip.sys, CVE-2022-34718. The advisory from Microsoft reads: “An unauthenticated attacker could send a specially crafted IPv6 packet to a Windows node where IPsec is enabled, which could enable a remote code execution exploitation on that machine.” Pure remote vulnerabilities usually yield a lot of interest, but even over a month after the patch, no additional information outside of Microsoft’s advisory had been publicly published. From my side, it had been a…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…

Critical Remote Code Execution Vulnerability in SPNEGO Extended Negotiation Security Mechanism

In September 2022, Microsoft patched an information disclosure vulnerability in SPNEGO NEGOEX (CVE-2022-37958). On December 13, Microsoft reclassified the vulnerability as “Critical” severity after IBM Security X-Force Red Security Researcher Valentina Palmiotti discovered the vulnerability could allow attackers to remotely execute code. The vulnerability is in the SPNEGO Extended Negotiation (NEGOEX) Security Mechanism, which allows a client and server to negotiate the choice of security mechanism to use. This vulnerability is a pre-authentication remote code execution vulnerability impacting a wide…

Containers, Security, and Risks within Containerized Environments

Applications have historically been deployed and created in a manner reminiscent of classic shopping malls. First, a developer builds the mall, then creates the various stores inside. The stores conform to the dimensions of the mall and operate within its floor plan. In older approaches to application development, a developer would have a targeted system or set of systems for which they intend to create an application. This targeted system would be the mall. Then, when building the application, they would…