Member’s Login

Forgot Password  |  Create an account

21% of Websites Still Use SHA-1: Venafi Research

Posted By - DynamicCISO,

SHA-1 is on the verge of breathing its last. But someone needs to notify the next of kin, because new research from Venafi Labs shows that 1 in 5 of the world’s websites are still using certificates signed with the vulnerable Secure hash algorithm, SHA-1. It’s not like these organizations didn’t know SHA-1 was a problem. All major browsers are currently issuing security warnings to visitors who access sites using insecure SHA-1 certificates.

If you have been living in a cave for the past several years, you may not have heard that SHA-1 is deprecated. But SHA-1 is worse than vulnerable. Recent collision attacks have proven that SHA-1 is officially broken. That makes it even more puzzling to learn that ANY sites rely on SHA-1, let alone a substantial percentage. Yet, it appears that 21% of websites are still using the exploitable SHA-1 hashing algorithm, according to Venafi Labs research on over 33 million publicly visible IPv4 websites.

SHA-1 collisions should have taken no one by surprise. It was only a matter of time until computing power caught up with the SHA-1 algorithm. Cryptoanalysts began warning of SHA-1 vulnerability in 2005. But it wasn’t until February of 2017 that we had definitve proof when researchers from Google and leading universities demonstrated that the deprecated cryptographic secure hash algorithm still used to sign many website digital certificates can be manipulated.

Fixing this problem seems to be relatively straightforward. Organizations can immediately reduce vulnerability by rotating out old SHA-1 certificates and replacing them with newly issued certificates that use SHA-2. But if it’s so straight forwardard, why so many organizations still using SHA-1? It’s a good question. I think it’s safe to assume that no organization would intentionally leave itself open to security breaches, compliance problems, and outages that can affect security, availability, reliability. So, the explanation must be less obvious.

"I suspect that many organizations may simply be unware that they still have any SHA-1 certificates on their networks because they are relying on certificate authority (CA) tools to manage their keys and certificates. The problem with this approach, especially now that free and very low cost certificates are widely available, is that anyone in your organization can get and install a certificate that uses weak hashing algorithms and install it on your network," says Shelley Boose, Director of PR and Content Marketing, Venafi.

Kevin Bocek, Venafi VP of security strategy, outlines why he thinks many organizations are lagging, “Even though most organizations have worked hard to migrate away from SHA-1, they don’t have the visibility and automation necessary to complete the transition. We’ve seen this problem before when organizations had a difficult time making coordinated changes to keys and certificates in response to Heartbleed, and unfortunately I’m sure we are going to see it again.”

Aside from the obvious vulnerability issues, SHA-1 may also disrupt web transactions and traffic in a variety of ways:

  • Browsers will display warnings to users that the site is insecure, prompting users to look for an alternative site.
  • Browsers will not display the ‘green padlock’ on the address line for HTTPS transactions; consumers rely on this icon as an indication that online transactions are secure and private.
  • Sites may experience performance problems; in some cases, access to websites may be completely blocked.

Related Tags - SHA-1, Google, Microsoft, Mozilla, Browser,

Subscribe to our newsletter for all the latest updates and special offers.

Click Here To view archive additions

Older Entries

Monday, April 14th, 2014 02:55:00 PM Heartbleed - Bruce Schneier, CTO
Sunday, April 27th, 2014 09:10:00 AM Heartbleed FAQs - Richard Henderson, Security Strategist FortiGuard Labs
View All