Sites cling to a million flawed, fading SHA-1 certificates: Netcraft

250,000 cry: 'SHA-1 or death!'

British security bod Paul Mutton says scores of websites including big ticket companies like Deloitte are among a million outfits using outdated and vulnerable SHA-1-coded certificates which researchers have recently badged deceased.

The hash function was this month busted by a crypto cadre with $US75,000 of cloud computing resources, undercutting estimates by US$100,000 and putting such an attack within reach of even modestly-resourced groups.

SHA-1's a known dud of a cipher that's been recommended for retirement in 2017.

Netcraft's Mutton says some 120,000 SHA-1 certificates were issued this year of which more than a quarter of a million are scheduled to live beyond 2017.

"SHA-2 eventually overtook SHA-1 in May 2015, but there are still nearly a million certificates currently using SHA-1," Mutton says.

"The owners of these certificates will undoubtedly need to replace them months — or in some cases, years — before they are due to expire.

"Deloitte (Austria) is still using a SHA-1 signed certificate that was issued in February 2015 and valid until 2020. Google Chrome already regards this certificate as insecure."

SHA-1 vs SHA-2. Netcraft, October 2015.

That certificate is issued by Austria's A-Trust which operates a root certificate trusted by all browsers.

The National Institute of Standards and Technology blesses only SHA-2 and SHA-3 algorithms, with SHA-256 to SHA-512 being green-lighted by the Browser Forum's baseline requirements for publicly-trusted certificates.

Heartbleed resulted in an uptick in adoption of the better algorithms which lack the mathematical weaknesses of SHA-1. About half a million certificates were impacted by 2013's infamous bug.

A motion by a gang of tech companies to prolong the life of SHA-1 in the name of customer convenience was ditched after this month's cracking research. ®


Biting the hand that feeds IT © 1998–2017