en English
X

Select Language

Powered by Google TranslateTranslate

We hope you will find the Google translation service helpful, but we don’t promise that Google’s translation will be accurate or complete. You should not rely on Google’s translation. English is the official language of our site.

en English
X

Select Language

Powered by Google TranslateTranslate

We hope you will find the Google translation service helpful, but we don’t promise that Google’s translation will be accurate or complete. You should not rely on Google’s translation. English is the official language of our site.

Google Proves It: SHA-1 is Broken

Most experts have been recommending that SHA-1 be deprecated for some time. Luckily, most websites use SHA-2, a more updated and less vulnerable version of the technology. All reputable certificate authorities, such as SSL.com, have retired SHA-1 certificates and are using SHA-2.

Google Proves It: SHA-1 is Broken

On February 23, 2017, the announcement the cryptography world has been waiting for finally came. Google and Centrum Wiskunde & Informatica (CWI) Amsterdam, the Netherlands’ national research institute for mathematics and computer science, teamed up to demonstrate that the insecurity of SHA-1 has moved from theoretical to proven. The teams released a joint statement on Google’s security blog detailing how they generated a hash collision.

A hash collision is achieved when two different inputs using cryptology yield identical results, effectively rendering the cryptology vulnerable, since a malicious file could be introduced that fools the cryptology. Until now, only “brute force” collisions had been proven to be possible, and experts estimate that brute force attacks on SHA-1 would require 12 million graphics processing unit (GPU) years to complete, which renders brute force impractical. The combined Google/CWI team exploited weaknesses in SHA-1 to speed this process up one hundred thousand times. This effectively demonstrates that SHA-1 is, in practice, now proven to be vulnerable to attacks from well-funded entities with sufficiently sophisticated computing power.

Google’s announcement was not a complete shock. As early as 2005, a team of researchers from Shandong University in China wrote about the theoretical possibility of practical techniques for generating collisions in SHA-1. In 2013 Marc Stevens, the head of the team from Google that broke SHA-1, published a paper on the topic as well,  and February’s announcement has therefore been considered only a matter of time.

So what to do about it? Experts have been recommending that SHA-1 be deprecated for years. Luckily, most websites currently use SHA-2, a  less vulnerable version of the technology. All reputable certificate authorities, including SSL.com, have retired SHA-1 certificates and use SHA-2 exclusively.

Subscribe to SSL.com’s Newsletter

Don’t miss new articles and updates from SSL.com