Rest-in-Peace SHA-1. Like all security controls, they are only valuable for a certain period of time. SHA-1, a legacy hashing algorithm once used heavily in secure web browsing, has outlived its usefulness, therefore it is time to be permanently retired. Microsoft, Mozilla, and Google just announced they will finally drop all support for SHA-1 early next year. The risks of using a weak hashing algorithm in browsers include the possibility of man-in-the-middle attacks, spoofed content, and even phishing against victims.
This security hashing algorithm has been around since circa 1995 and been heavily used in protecting web content. Hashing algorithms provide a vital role in verifying the integrity of files and are used when making a secure web connection (i.e. https:// sites) to ensure you are visiting the correct location and not a spoofed site looking to harvest your data. The problem arose in 2005 when researchers from Princeton University published a paper showing it was possible to find collisions much easier than previously thought. For hashing, collisions represent the ability to duplicate the verification with a different source, therefore invalidate the security of the system.
NIST has recommended switching to the upgraded SHA-2 variant since 2012. But removing embedded algorithms is not an easy or convenient process for website administrators, therefore outdated versions tend to linger on well after their useful life. Ultimately, such legacy support becomes more caustic over time and lends itself to progressively weaker security.
So, the end of SHA-1 is good news for everyone, except the attackers. Farewell SHA-1. The industry has finally stood up and collectively voted you out.
Interested in more? Follow me on Twitter (@Matt_Rosenquist) and LinkedIn to hear insights and what is going on in cybersecurity.