SHA-1 may be culled earlier as attacks become more viable

For many years the encryption standard used by certificates was SHA-1. Earlier this month security researchers recently developed an attack against SHA-1 stating that it can now be defeated at a cost of just $75,000 to $120,000 in computing power. This makes attacks simple for many nation states and now within reach of criminal and corporate hackers.

It is likely in the coming months the cost of attacking SHA-1 is going to continue to fall. As a result of this Mozilla has announced it wishes to accelerate the end of SHA-1 from 1 January 2017 to 1 July 2016.

From Firefox 43 users will be shown an untrusted connection error whenever a SHA-1 based certificate that is valid from 1 January 2016 is encountered.

Firefox Untrusted

The CA/Browser forum has also recently withdrawn a motion to extend the SHA-1 acceptance period for a small number of corporate entities with legacy equipment. The risk to SHA-1 is seen as too great.

Netcraft have also recently revealed that 1 million certificates are still using SHA-1 algorithm.

If you are still running SHA-1 on your website or you don’t know if you are then you must read Deprecation of SHA-1 and moving to SHA-2.

From 1st December 2015 Servertastic will no longer provide SHA-1 as a hashing option within our order process.