SHA-1 Broken
Posted: 22 Dec 2015, 20:04
When you go to a website, how do you verify that it is what you think it is? Most of us don't verify our destinations manually, but we do allow our browsers (all of them) to do the check for us. A mathematical algorithm is applied to the site content (or something you download from it) and a jumbled up version of all that is outputted as a string of apparently random characters. That string is known as a hash and stored in your browser as a certificate. Thus, if you know the hash certificate is correct, the authenticity of the web site is verified.
If a bad guy can make his website come up with the identical certificate, then there is no way to tell which is the right one. That uncertainty is about to become widespread as the cost of hacking the certificates comes down with the availability of cheaper and more powerful hardware. The likes of Google, Mozilla, and Microsoft know about this impending danger and promised to alter their browsers so that the SHA-1 algorithm is no longer used for certificate validation. This was supposed to happen by the end of 2017, but the date has been pushed up to the middle of 2016. Hackers are getting better quicker so it seems. So, after the New Year Google Chrome users will be seeing warnings that sites with SHA-1 coding are dangerous, and they won't even allow you to go to those sites after the switch over. We are talking about 25% or more of all the websites out there that will lose their authenticity verification and leave the public vulnerable.
The good news is that there are other more robust algorithms currently in use, and all those big time browsers will be using SHA-2 to replace SHA-1. However, this puts the burden on all those vulnerable websites to update their certificates immediately. If they don't update, then you are at the mercy of potential hackers spoofing the content of the unverified sites for their own purposes. Mass panic is not the answer here because the only time this truly matters is when you are conducting business transactions and want to be sure you are on the website you think you are on. That STILL is a lot of updating needing to be done in a six month time frame.
http://motherboard.vice.com/read/over-a ... -be-broken
If a bad guy can make his website come up with the identical certificate, then there is no way to tell which is the right one. That uncertainty is about to become widespread as the cost of hacking the certificates comes down with the availability of cheaper and more powerful hardware. The likes of Google, Mozilla, and Microsoft know about this impending danger and promised to alter their browsers so that the SHA-1 algorithm is no longer used for certificate validation. This was supposed to happen by the end of 2017, but the date has been pushed up to the middle of 2016. Hackers are getting better quicker so it seems. So, after the New Year Google Chrome users will be seeing warnings that sites with SHA-1 coding are dangerous, and they won't even allow you to go to those sites after the switch over. We are talking about 25% or more of all the websites out there that will lose their authenticity verification and leave the public vulnerable.
The good news is that there are other more robust algorithms currently in use, and all those big time browsers will be using SHA-2 to replace SHA-1. However, this puts the burden on all those vulnerable websites to update their certificates immediately. If they don't update, then you are at the mercy of potential hackers spoofing the content of the unverified sites for their own purposes. Mass panic is not the answer here because the only time this truly matters is when you are conducting business transactions and want to be sure you are on the website you think you are on. That STILL is a lot of updating needing to be done in a six month time frame.
http://motherboard.vice.com/read/over-a ... -be-broken