Wednesday March 08, 2017

One in Five Websites Still Use Outdated SHA-1 Encryption Algorithm

SHA-1 has been known to be potentially insecure since 2005, but this wasn't proven in practice, at least not publicly, until Google recently announced they executed a successful collision attack, breaking it. The collision attack is notable as it takes about one 100,000th of the time to crack SHA-1 as it would with a full brute force attack.

The Register is reporting that one in five websites out there are still relying on SHA-1, despite its known vulnerabilities. This is an improvement over November last year when a third of all sites were relying on SHA-1.

Google, Microsoft and Mozilla have all set deadlines for early 2017 for websites to migrate away from SHA-1. It is unclear exactly what actions will be taken at that time, but presumably browsers will start issuing security warnings, and sites using SHA-1 will be down-ranked in search results.

This does all need to be put into perspective though. Even with Googles collision attack, it requires approximately 110 GPU's to break it in about a years time, so your average Russian script-kiddie isn't going to be doing it any time soon, even if he is lucky enough to have a few Pascal Titan's. It does, however, mean that SHA-1 is vulnerable to state actors with access to supercomputing resources, and potentially people with some money looking to rent supercomputer time. They would have to try to hide their true goals, but in a world where rented AWS clusters have been used for massive DDOS attacks, this doesn't seem infeasible.

News Image

Kevin Bocek, chief security strategist for Venafi, commented: "Even though most organisations have worked hard to migrate away from SHA-1, they don't have the visibility and automation necessary to complete the transition. We've seen this problem before when organisations had a difficult time making co-ordinated changes to keys and certificates in response to Heartbleed, and unfortunately I'm sure we are going to see it again."