Farewell SHA-1 Hash Algorithm

Rest-in-Peace SHA-1.  Like all security controls, they are only valuable for a certain period of time. SHA-1, a legacy hashing algorithm once used heavily in secure web browsing, has outlived its usefulness, therefore it is time to be permanently retired.  Microsoft, Mozilla, and Google just announced they will finally drop all support for SHA-1 early next year.  The risks of using a weak hashing algorithm in browsers include the possibility of man-in-the-middle attacks, spoofed content, and even phishing against victims.

This security hashing algorithm has been around since circa 1995 and been heavily used in protecting web content.  Hashing algorithms provide a vital role in verifying the integrity of files and are used when making a secure web connection (i.e. https:// sites) to ensure you are visiting the correct location and not a spoofed site looking to harvest your data.  The problem arose in 2005 when researchers from Princeton University published a paper showing it was possible to find collisions much easier than previously thought.  For hashing, collisions represent the ability to duplicate the verification with a different source, therefore invalidate the security of the system.

NIST has recommended switching to the upgraded SHA-2 variant since 2012.  But removing embedded algorithms is not an easy or convenient process for website administrators, therefore outdated versions tend to linger on well after their useful life.  Ultimately, such legacy support becomes more caustic over time and lends itself to progressively weaker security.

So, the end of SHA-1 is good news for everyone, except the attackers.  Farewell SHA-1.  The industry has finally stood up and collectively voted you out.

 

Interested in more? Follow me on Twitter (@Matt_Rosenquist) and LinkedIn to hear insights and what is going on in cybersecurity.

Published on Categories SecurityTags , ,
Matthew Rosenquist

About Matthew Rosenquist

Matthew Rosenquist is a Cybersecurity Strategist for Intel Corp and benefits from 20+ years in the field of security. He specializes in strategy, measuring value, and developing cost effective capabilities and organizations which deliver optimal levels of security. Matthew helped with the formation of the Intel Security Group, an industry leading organization bringing together security across hardware, firmware, software and services. An outspoken advocate of cybersecurity, he strives to advance the industry and his guidance can be heard at conferences, and found in whitepapers, articles, and blogs.