Software’s biggest advantage is that innovations can be rapidly adopted. But that’s also its biggest downfall: It’s incredibly difficult for everyone to move on after that software is no longer deemed safe. SHA-1 is the latest example in a long list of technologies that needs to be abandoned ASAP.
Cryptographic hash functions are used to encrypt traffic and protect the contents of online communications, to locate data records in hash tables, to build caches for large data sets, to find duplicate records, to manage code repositories, and a variety of other uses cases. Whether it’s validating an update or a credit card transaction, chances are SHA-1 is still in use.
Browsers and websites use hash functions by creating a unique fingerprint and digitally signing each chunk of data to prove that a message has not been altered or tampered with when it passes through various servers. When the Certificate Authority and Browser Forum published their Baseline Requirements for SSL in 2011, the SHA-1 cryptographic hash algorithm was essentially deprecated. They identified security weaknesses in SHA-1 and recommended that all certificate authorities (CAs) transition away from SHA-1 based signatures, with a full sunset date of January 1, 2016. The U.S. National Institute of Standards and Technology banned the use of SHA-1 by U.S. federal agencies back in 2010.
Unfortunately, SHA-1 is still in use today. This is despite years of warnings from network security experts…