SHA-2 encryption will make many sites inaccessible to users who can’t afford newer tech
A group of security researchers has recently announced that it’s highly likely that effective collision attacks that would break SHA-1 encryption will be revealed by the end of 2015.
“We estimate the SHA-1 collision cost today (i.e., Fall 2015) between 75K$ and 120K$ renting Amazon EC2 cloud computing over a few months. By contrast, security expert Bruce Schneier previously projected (based on calculations from Jesse Walker) the SHA-1 collision cost to be ~173K$ by 2018. Note that he deems this to be within the resources of a criminal syndicate. Large corporations and governments may possess even greater resources and may not require Amazon EC2,” the researchers noted.
“Microsoft, Google and Mozilla have all announced that their respective browsers will stop accepting SHA-1 based SSL certificates by 2017 (and that SHA-1-based certificates should not be issued after 2015),” they pointed out, and recommended that SHA-1 based signatures should be marked as unsafe much sooner than prescribed by current international policy.
This is all-around bad news for Internet users and system and web server administrators. If they haven’t already, the latter should start exploring methods and techniques for moving from SSL and code signing certificates signed with the SHA-1 hashing algorithm to those signed with SHA-2, as well as tools that can help them make the migration.
But while most Internet users can rest safe that newer versions of the popular browsers will allow them to continue to surf the Web without any problems, those in poorer and less developed countries, and those who use older browsers or devices incompatible with SHA-2 and can’t afford to upgrade, will find it difficult to access sites like Google (and Gmail), Twitter, Facebook and other popular sites encrypted with the more secure cryptographic hashing algorithm.
It is estimated that by the end of this year, as little as 10 percent of all websites will still be using SHA-1, and the percentage will only get lower in the months after that.
“We’re about to leave a whole chunk of the internet in the past,” CloudFlare CEO Matthew Prince told ZDNet. The exact number of affected users is difficult to estimate, but it’s likely that most will be from China, Africa, India and other developing nations.
According to Ivan Ristic, head of of SSL Labs at Qualys, users with old browsers and operating systems that do not support SHA-2 certificates will “start to experience problems with increased frequency throughout 2016”, as many sites are “75 percent through to SHA2 migration.”
With successful collision attacks against SHA-1 being so close to happening, it’s likely that migration to SHA-2 will accelerate, and that the retiring of SHA-1 based certificates will come sooner that initially announced.
As it seems right now, those users who won’t be able to make the technological jump are likely to be left behind.
Finally, as an interesting sidenote: the US National Institute of Standards and Technology (US NIST) has recently released the final version of the SHA-3 standard, which can be used as a backup to SHA-2.