The National Institute of Standards and Technology (NIST) mathematically predicted this would happen about this time back in January 2011. See NIST Special Publication 800-131A Revision 1: Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths. Based on this recommendation, Google Chrome started warning users when they visited an SSL secured website that uses SHA-1 beginning November 2014.
|Google Chrome SHA1 Notifications Gradually Ramped Up Over Time|
Clearly, Google was more than happy to prove NIST's prediction right by announcing the first public SHA1 collision on February 23, 2017. Microsoft wrote a response the same day, but their timeline to remove SHA1 functionality from Windows remains mid-2017.
So who's at risk and what can be done about it?
Companies that use SSL-secured websites should check them to ensure they are not using the SHA-1 algorithm on any certificate. Root certificates are not affected by this, but best practice is to upgrade all Certificate Authorities (CA) to use the SHA256 algorithm. Nothing says bad press like a security warning or breach.
EXPTA Consulting provides PKI infrastructure services and can help install, reconfigure, or upgrade your existing PKI infrastructure securely and safely.
Users should run the latest versions of browsers. They should also be educated about browser security warnings, what they mean, and how to handle them.
Here are the current warnings users will see when visiting an SSL website using the SHA-1 algorithm from three popular browsers on Windows 10:
|SHA1 Website in Chrome|
|SHA1 Website in Edge|
|SHA1 Website in Internet Explorer 11|