In May 2017, IE and Microsoft Edge finally began to note the SSL/TLS certificates signed with the well-used SHA-1 hashing protocol as insecure. At this point, it had already been done by Chrome and Firefox. This encryption protocol has been in use since 1995. This has been replaced by SHA-2 years ago due to collision attacks. This occurs when two files have the same SHA-1 digest. Although a few attacks may be possible yet impractical, the noted attack in practical and workable.
The question is, however, what makes this so notable. The entities should have been using the SAH-2 due to the SHA-1 no longer being the industry standard, yet this is still actively in use. One of the answers involves the entities' applications. There are, in specific situations, legacy systems in place which require SHA-1. With SHA-2, if implemented, may break other applications already in place. There may also be a timing issue with staffing. Although this is pertinent and should be applied, the staffing may simply not have the opportunity to implement this.
With whichever the rationale may be, the SHA-1 should no longer be used. The systems should be upgraded to implement this. To not is to invite issues to your door.
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.
Share on Facebook
Share on Twitter
I'm busy working on my blog posts. Watch this space!