Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

1 in 5 Websites Still Use SHA-1: Report

While most certificate authorities (CAs) haven’t been issuing certificates using the SHA-1 cryptographic hash function for more than two months, 1 in 5 websites worldwide still use such certificates, according to analysis by security firm Venafi.

While most certificate authorities (CAs) haven’t been issuing certificates using the SHA-1 cryptographic hash function for more than two months, 1 in 5 websites worldwide still use such certificates, according to analysis by security firm Venafi.

Not only did CAs migrate to the more secure SHA-2 certificates on Jan. 1, 2017, but major browser makers also decided to adopt the change, including Google, Microsoft and Mozilla, and their browsers no longer trust sites that use SHA-1 certificates. Even Facebook announced plans to retire SHA-1.

Despite that, many webmasters are still behind with the transition, as 21% of all websites that use certificates still use the insecure cryptographic hash function, Venafi says, based on the analysis of over 33 million publicly visible IPv4 websites. Granted, things are looking much better compared to last fall, when 35% of websites were still using SHA-1, but recent research has proven that the crypto function is officially broken.

SHA-1 has been long said to be vulnerable to collision attacks, but it wasn’t until this year that the function was proven fundamentally broken. What’s surprising, however, is that webmasters didn’t transition to SHA-2 or SHA-3 sooner. It’s doubtful that they would knowingly leave their sites vulnerable.

“I suspect that many organizations may simply be unware that they still have any SHA-1 certificates on their networks because they are relying on certificate authority (CA) tools to manage their keys and certificates. The problem with this approach, especially now that free and very low cost certificates are widely available, is that anyone in your organization can get and install a certificate that uses weak hashing algorithms and install it on your network,” said Venafi’s Shelley Boose.

In addition to making both websites and their users vulnerable to attacks, the continuous use of SHA-1 can also disrupt the browsing experience, because web browsers display warnings when encountering insecure sites, prompting users to look for alternatives. The green padlock that browsers display to mark HTTPS transactions will no longer be associated with SHA-1 sites, and performance issues might also alter users’ experience, Venafi notes.

Related: Apache Subversion System Affected by SHA-1 Collision

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Cybersecurity Funding

Forward Networks, a company that provides network security and reliability solutions, has raised $50 million from several investors.

Network Security

Cisco patched a high-severity SQL injection vulnerability in Unified Communications Manager (CM) and Unified Communications Manager Session Management Edition (CM SME).

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Vulnerabilities identified in TP-Link and NetComm router models could be exploited to achieve remote code execution (RCE).