What, in the world, is SHA-1? Is it edible?
For years, SHA-1 (a.k.a Secure Hash Algorithm) cryptographic algorithm has been a valued hash and its complexity was enough to reassure that content of vulnerable websites would not be accidentally corrupted or tainted. Doubts about SHA-1 started to surface after researchers realized that hackers are discovering innovative ways to interfere with websites that exploit SSL encryption for their security. Speaking quite frankly, SHA-1 is supposed to make sure that no external parties would interfere with the process of accessing a certain website. If SHA-1 would work without any hitches, it would generate a unique slug to make this process go smoothly and you would be connected to an authentic domain.
Sooo… what’s the issue?
Well, the problem is that security researchers have expressed concerns whether SHA-1 is not too week to appropriately protect websites. Upon being created, SHA-1 had a mission of creating original certificates which would be accepted by the browser. In theory, SHA-1 is expected to successfully check and reassure that no unvalidated modifications would be made to the domain. Collision means that cyber criminals might be able to interfere in this process. And, yes, SHA-1 seems to be pretty weak. Actually, so vulnerable to attacks, that it is surprising that hell has not broke loose yet. To our knowledge, millions of websites still exploit SHA-1 and are not eager to replace it with SHA-2.
SHA-2? Is that supposed to be the alternative websites should switch to?
Definitely yes. SHA-1 might have served millions of users and websites, but its era has reached its sunset and should be replaced. While SHA-1 lacks complexity and makes an almost impossible collision attack realistic, SHA-2 (Secure Hash Algorithm 2) is much more resistant and reliable. Security researchers agree that the utilization of SHA-1 might lead to unnecessary security issues. For that reason, its usage is no longer recommended. 2017 is expected to be the year that will permanently replace SHA-1 with SHA-2. And these are not just mere words: utilization of SHA-1 is expiring. 24th of January is going to be the date that a browser is going to start displaying warnings whenever users are going to be accessing websites that do not use SHA-2.
Website owners probably ignore these warnings because they think that replacing SHA-1 with SHA-2 is extremely complicated…
Not necessarily: maybe they just assume that ‘meh, who cares, I’m good’. In reality, website owners do need to adjust to changing factors and re-evaluate their strategies. If you are not sure whether your owned website uses SHA-1 or SHA-2, you should check. Now, there are websites that allow you to enter the URL of your domain and bang: you will be informed. Did you discover that your website still depends on a weak SHA-1? All you have to do is to write a request for a new certificate. Your CA will issue you a new one, finally functioning with SHA-2 hash.
Sources: konklone.com, arstechnica.com.
