|
As Deadline Looms, 35 Percent Of Web Sites Still Rely On SHA-1
Dark Reading Over 60 million web sites are relying on a hashing algorithm that will be blocked by major browsers starting Jan 1. |
Microsoft last week outlined the timetable it will use to drop browser support for sites that secure traffic with SHA-1 certificates, part of an Internet-wide plan to rid the Internet of the weaker encryption.
With the delivery of the Windows 10 Anniversary Update — slated to ship sometime this summer — both Internet Explorer (IE) and Edge will stop displaying a lock icon for sites that reply on a SHA-1 certificate. That icon signals that the bits back and forth between browser and website are encrypted, and so not vulnerable to spying.
To read this article in full or to leave a comment, please click here
Microsoft may phase out support for TLS certificates that use the SHA-1 hashing algorithm as early as June 2016. The decision comes in the wake of recent calculations that suggest generating collisions is quicker and cheaper than previously anticipated.
SHA-1 is a hash algorithm, used to derive a 160-bit value from an arbitrary input. Its intent is for collisions—different inputs that hash to the same 160-bit value—to be hard to generate. As compute power has steadily grown over the years, it becomes quicker and cheaper to generate collisions. It was previously projected by Bruce Schneier, based on the observed growth of compute power, that creating SHA-1 collisions would be within reach of criminals by 2018 at a cost of about $ 173,000. On this basis, Microsoft intended to cease supporting the use of new SSL/TLS certificates using SHA-1 on January 1, 2016 and all SHA-1 SSL/TLS certificates on January 1, 2017.
The new cost and performance estimates, however, suggest that the cost is both drastically lower—$ 75,000 to $ 120,000—and that the compute resources are immediately available through cloud services such as Amazon EC2. This has given browser vendors little option but to reconsider the previous 2017 timetable for retiring support of SHA-1.
SC Magazine UK |
Mozilla may reject SHA-1 certificates six months early
SC Magazine UK After years of warnings that MD5 was exploitable, the algorithm was only abandoned after it was discovered that an MD5 collision was used to launch the Flame espionage malware. The latest research estimates that a collision attack could be achieved for … Continuing to Phase Out SHA-1 Certificates | Mozilla Security Blog – The … SHA-1 hashing algorithm could succumb to $ 75K attack, researchers say | InfoWorld [cabfpub] Ballot 152 – Issuance of SHA-1 certificates through 2016 – CA … |