One-Fifth of Websites Still Running SHA-1, Risking Security Issues

Exterminator

Level 85
Thread author
Verified
Top Poster
Well-known
Oct 23, 2012
12,527
The death knell for security standard SHA-1 has been sounding for a number of years now, and Google’s cracking of it in February turned the volume up even higher. Despite this, it seems many websites aren’t yet ready to say goodbye.

New research from Venafi has revealed that 21% of websites they tested are still using SHA-1 certificates. This figure is down from the 36% they discovered in November 2016, but there is still a long way to go to ensure a safer online experience.

Those websites still running SHA-1 certificates instead of the more secure SHA-2 are leaving themselves and their customers open to security breaches, compliance problems and outages that can affect data protection, availability and reliability, Venafi said. Those sites running SHA-1 will no longer display the green padlock indicating a secure website.

Even profits can be affected, as users who are struggling with the usability of the website or are scared away by security warnings are far more likely to abandon the website and seek an alternative. Using SHA-1 could render some sites completely unavailable depending on security settings. Venafi also said that use of SHA-1 could increase help desk calls, as frustrated users who cannot access the site will contact customer services.

“The results of our most recent analysis are not surprising,” said Kevin Bocek, chief security strategist for Venafi. “Even though most organizations have worked hard to migrate away from SHA-1, they don’t have the visibility and automation necessary to complete the transition. We’ve seen this problem before when organizations had a difficult time making coordinated changes to keys and certificates in response to Heartbleed, and unfortunately I’m sure we are going to see it again.”

Even before Google’s cracking of the SHA-1 standard via a collision attack, the industry was moving away from it. Microsoft declared in November 2016 that it was no longer secure and support for websites running it would end in mid-2017. Mozilla, maker of the Firefox browser, said the same thing a month earlier. Google said as early as 2014 that it would phase out use of SHA-1.

Venafi conducted its test in February 2017, analyzing 33 million publicly visible IPv4 websites using certificate intelligence service Venafi TrustNet. Over one in five certificates for unique IP addresses were using SHA-1 at the time of the test.
 

Winter Soldier

Level 25
Verified
Top Poster
Well-known
Feb 13, 2017
1,486
Through Shaaaaaaaaaaaaa you can check the type of the hash used by the certificate of a site. The software used by Shaaaaaaaaaaaaa is public, so you can run tests directly from your computer.

www.malwaretips.com has a certificate chain signed with SHA-2. :)
 
  • Like
Reactions: shmu26

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top