The Downfall Of SHA-1

[Sitting-Duc]

Just for anyone like me and is interested in the security side of computing.

 

SHA-1 has had a collision detected and should now be viewed as an insecure encryption method. The CA's and browser authorities are voting on the matter of how long to honor certificated issued with SHA-1 encryption and it will probably be only to the end of 2016 (https://cabforum.org/pipermail/public/2015-October/006048.html).

 

This is similar to when MD5 collisions started to be detected and a similar process will now take place to remove the functions use from computing.

 

The collision details can be found here: https://docs.google.com/viewer?url=https%3A%2F%2Fsites.google.com%2Fsite%2Fitstheshappening%2Fshappening_article.pdf%3Fattredirects%3D0

[loaderXI]

What kind of Global impact will this have as far as the transition not being met by companies and major websites...If you could or had to give a percentage at a guess...What would you give ? and what major effects could be seen from this as far as securities 

[Sammy]

Looks like you have to be a pretty advanced mathematician to understand all of that.

[Sitting-Duc]

@@loaderXI Easily over 80% of secure websites are using SHA1, probably closer to 90%. That means within the next year they all have to reissue their certificates using SHA2 or another supported encryption method. The released collision is not usable but confirms that today's technologies are now able to create collisions and therefore begin to exploit them. Conspiracy theorists will jump saying that governments are most likely already exploiting the encryption method like they did with MD5.

 

For the average user it doesn't matter that much but it certainly shows how encryption is not infallible.

 

 

[eidolonFIRE]

wow.....  at least AES is still holding lol.

[Sammy]

Yup some governments are most definitely doing it. At least on a low level. Simply because if they didnt do it they they wouldnt be very good at their jobs.