Skip to main content
banner image
venafi logo

21% of Websites Still Use SHA-1. Don’t They Know It’s Broken?

21% of Websites Still Use SHA-1. Don’t They Know It’s Broken?

21% of websites use SHA-1
March 7, 2017 | Shelley Boose

SHA-1 is on the verge of breathing its last. But someone needs to notify the next of kin, because new research from Venafi® Labs shows that 1 in 5 of the world’s websites are still using certificates signed with the vulnerable secure hash algorithm, SHA-1. It’s not like these organizations didn’t know SHA-1 was a problem. All major browsers are currently issuing security warnings to visitors who access sites using insecure SHA-1 certificates.

If you have been living in a cave for the past several years, you may not have heard that SHA-1 is deprecated. But SHA-1 is worse than vulnerable. Recent collision attacks have proven that SHA-1 is officially broken. That makes it even more puzzling to learn that ANY sites rely on SHA-1, let alone a substantial percentage. Yet, it appears that 21% of websites are still using the exploitable SHA-1 hashing algorithm, according to Venafi Labs research on over 33 million publicly visible IPv4 websites.

Cybercriminals are exploiting TLS certificates found on the Dark Web. Learn more. 

SHA-1 collisions should have taken no one by surprise. It was only a matter of time until computing power caught up with the SHA-1 algorithm. Cryptoanalysts began warning of SHA-1 vulnerability in 2005. But it wasn’t until February of 2017 that we had definitve proof when researchers from Google and leading universities demonstrated that the deprecated cryptographic secure hash algorithm still used to sign many website digital certificates can be manipulated.

Fixing this problem seems to be relatively straightforward. Organizations can immediately reduce vulnerability by rotating out old SHA-1 certificates and replacing them with newly issued certificates that use SHA-2. But if it’s so straight forwardard, why so many organizations still using SHA-1? It’s a good question. I think it’s safe to assume that no organization would intentionally leave itself open to security breaches, compliance problems, and outages that can affect security, availability, reliability. So, the explanation must be less obvious.

I suspect that many organizations may simply be unware that they still have any SHA-1 certificates on their networks because they are relying on certificate authority (CA) tools to manage their keys and certificates. The problem with this approach, especially now that free and very low cost certificates are widely available, is that anyone in your organization can get and install a certificate that uses weak hashing algorithms and install it on your network.

Kevin Bocek, Venafi VP of security strategy, outlines why he thinks many organizations are lagging, “Even though most organizations have worked hard to migrate away from SHA-1, they don’t have the visibility and automation necessary to complete the transition. We’ve seen this problem before when organizations had a difficult time making coordinated changes to keys and certificates in response to Heartbleed, and unfortunately I’m sure we are going to see it again.”

Aside from the obvious vulnerability issues, SHA-1 may also disrupt web transactions and traffic in a variety of ways:

  • Browsers will display warnings to users that the site is insecure, prompting users to look for an alternative site.
  • Browsers will not display the ‘green padlock’ on the address line for HTTPS transactions; consumers rely on this icon as an indication that online transactions are secure and private.
  • Sites may experience performance problems; in some cases, access to websites may be completely blocked.

Do you know if your website’s users are seeing any browser warnings like those listed below? 

Chrome Warning Blur.png

FireFox Warning Blur.png

Safari Warning Blur.png

Opera Warning Blur.png


Learn more about machine identity management. Explore now.  

Like this blog? We think you will love this.
SHA-1, SHA-2, tls certificates
Featured Blog

Microsoft and Apple Signal the Ultimate Death of SHA-1 [Are You Ready?]

Why is a bad idea for enterprises to continue to us SHA-1?

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Shelley Boose
Shelley Boose

Shelley is Director of PR and Content Marketing at Venafi. In her own words, "I help companies translate complex technologies into engaging and compelling, digital stories."

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more