SHA-1 digital certificates are being shut down by browser vendors based on the findings of a group of security researchers from universities in France, Singapore and the Netherlands. Their paper, titled “Freestart Collision for Full SHA-1,” demonstrated how to gain access to encryption keys protected by SHA-1.
The researchers estimated that $120,000 could rent enough computing power to compromise encryption keys protected by a SHA-1 certificate. Once these encryption keys have been compromised, a malicious actor would have the ability to steal data being sent over the network, including user IDs and passwords, credit card numbers and any other information.
The Challenge With SHA-1 Digital Certificates
Most consumers using a browser don’t know whether they are accessing a website with an unsafe SHA-1 certificate. As such, browser vendors are taking it upon themselves to sunset support for any site with SHA-1 digital certificates.
Microsoft recently published an update to its SHA-1 deprecation road map. Starting this summer, Microsoft Internet Explorer and Edge will be removing the address bar lock icon for websites using SHA-1 digital certificates. Microsoft went on to say it intends to completely block access to websites using SHA-1 digital certificates by February 2017.
Firefox, Chrome and other vendors have made similar announcements. In fact, Chrome already displays an error message when it encounters a SHA-1 certificate.
Why Are We Seeing a Lot of Press Around Encryption Problems?
The information security industry has been relying on old encryption standards that date back to the 1990s. At the time, these standards were considered safe enough; only nation-state attackers would have had the computing power or technology capable of performing a brute-force attack. Today, technology has drastically improved processing power and capabilities, rendering these old standards inadequate.
The SHA-1 digital certificate is a subset of the Transport Layer Security (TLS) 1.0 specification. This security standard is becoming increasingly outdated as security researchers continue to demonstrate its weaknesses.
Every business should consider moving to newer encryption standards to avoid the risk of a data breach. Some risks and recommendations were highlighted in the recent IBM report “Outdated Encryption Standards Pose a Serious Risk of Data Breach.”
What Steps Should a Business Take to Mitigate Risks?
It is imperative that websites that still rely on SHA-1 digital certificates move to SHA-2. Using SHA-1 digital certificates also implies that the organization is leveraging other old encryption standards within TLS 1.0. As such, it is essential for security professionals to review information and recommendations for both short- and long-term strategies for moving to the modernized encryption standards available in the TLS 1.2 protocol.