Over a Million Websites Are Still Using SHA-1

Oct 21, 2015

Faulty hash algorithm persists, despite efforts by experts to raise awareness.

A study by the security firm Netcraft has determined that over a million websites are still using SSL certificates based on the SHA-1 hashing algorithm, which is known to be insecure. Several high-profile companies are among the list of organizations that still use the discredited SHA-1.

Security experts have known for a few years that SHA-1 is vulnerable to attack, with the only question being how much does it cost to attack it? According to a report in the Register, in 2012, it was estimated that a successful attack on SHA-1 would cost $173,000 in compute time by 2017. Netcraft reports the attack can now be accomplished with $75-$120K in Amazon EC2 compute resources.

Although such as rate would rule out high school script kiddies and small-time meth addicts, a $75,000 investment to hack a corporate network is well within the budget of many criminal and government espionage organizations.

All networks are strongly advised to upgrade to certificates based on SHA-2 and SHA-3-family algorithms.

Related content

comments powered by Disqus

Issue 33: Discover LibreOffice/Special Editions

Buy this issue as a PDF

Digital Issue: Price $15.99
(incl. VAT)

News