Much of the web will soon be a lot less secure. That's because the cryptographic algorithm - SHA-1 used to secure much of the world's online credit card transactions, browsing sessions, and internet banking sites is very, very close to being compromised by criminal hackers. All major browsers are planning to unsupport it:- Google by July 2016, Microsoft by June 2016 and Mozilla by July 2016.
SHA-1 is a cryptographic one-way hashing function. It helps in establishing the Integrity principle of the data. Even if one character of the original data is changed, the hash would be different. One application of this is with Password authentication where hash of the password is being compared with the hash of the original password that it has stored in database. Many cryptographic hash functions exist but SHA-1 is particularly popular for verifying digital certificates for web browsing. These digital certificates are used to secure HTTPS browsing sessions.
SHA-1 is used for more than 28% of digital certificates. But, attacks against SHA-1 are increasingly becoming accessible to hackers, attacks that would completely undermine the system of trust from certificates using the algorithm. In what is known as a “collision,” two different inputs can produce the same hash. In a similar way to how encryption can be brute-forced, hashing algorithms can be targeted by sheer computing power in order to compromise them. SHA-1 collision attack could be financed with around $2.77 million in 2012, $700,000 worth of Amazon servers in 2015, and $43,000 by 2021, per hash.
Starting in early 2016, Chrome will display a warning if a site is signed with an SHA-1-based signature, and not connect at all to offending sites by July 2016. Certificate Authorities must also stop issuing SHA-1 based certificates next year, in line with the Baseline Requirements for SSL (SSL being a protocol used for encrypted web browsing).
It is rather an unsettling thought that the security of the world wide web is largely built upon trust, be that the authorities issuing certificates, or faith in the algorithms that keep the whole thing a float. Now, it is clearly time to move away from any sites that are gambling with that trust.
Further Reading Reference:-
Rate this article: