In November New Statesman Tech published a report on compatibility suggesting that up to 50 per cent of websites were falling short of an incoming Web standard by relying on the Secure Hash Algorithm-1 (SHA-1) standard, which was due to be phased out in January. The research came from security company Venafi.
The effect would be that they simply wouldn’t work on modern computers. The good news is that according to fresh data from Venafi a large number of companies have addressed the problem. The bad news is that 21 per cent of organisations are ploughing ahead not having done so.
The even worse news is that this standard has now been proven vulnerable.
Attack on the old
On 17 February this year, the Cryptology Group at Centrum Wiskunde & Informatica (– a Dutch research institute) and the Google Research Security, Privacy and Anti-abuse Group, announced that they had mounted an attack on the SHA-1 security standard and cracked it. The inference is that anyone with a website that still uses it now has a built-in vulnerability. SHA-2 sorts this out completely and all sites should ideally have adhered to this by the beginning of 2017.
The problem is, as stated above, not all of them are doing so and that may leave the electronic door open to hackers.
“The results of our most recent analysis are not surprising,” said Kevin Bocek, chief security strategist for Venafi. “Even though most organizations have worked hard to migrate away from SHA-1, they don’t have the visibility and automation necessary to complete the transition. We’ve seen this problem before when organizations had a difficult time making coordinated changes to keys and certificates in response to [malware attack] Heartbleed, and unfortunately I’m sure we are going to see it again.”
The effect on sites with the old standard could include unavailability, which in the public sector could involve a loss of business and therefore money; in the public sector service delivery could be affected in the event of an attack.
It’s worth checking your own sites, and if you’re unsure see whether browsers such as Firefox display a “this site is not secure” warning.