Skip to main content
banner image
venafi logo

SHA-1 Collides with Reality: And It’s DOA.

SHA-1 Collides with Reality: And It’s DOA.

SHA-1 collision attacks
February 24, 2017 | Scott Carter

It’s not like we didn’t know SHA-1 was vulnerable. It’s been deprecated for years. But somehow our false sense of security persisted. And we optimistically hoped that it would remain too expensive and time-consuming to crack the hash for a little while longer. Well, it’s time to face reality. SHA-1 is officially broken. Collision attacks have now moved from the realm of theoretical to the practical. Researchers from Google collaborated with the CWI Institute in Amsterdam to prove that it’s possible to break the SHA-1 hash algorithm. 

Collision attacks allow cyber criminals to forge certificates and perform man-in-the-middle attacks on SSL/TLS connections. In a collision attack, the same hash is generated multiple times, allowing an attacker to trick the encryption into artificially validating a malicious file. Google researchers noted, “It is now practically possible to craft two colliding PDF files and obtain a SHA-1 digital signature on the first PDF file which can also be abused as a valid signature on the second PDF file.” In other words, a SHA-1 signature produced for one file could be misused as a valid signature for any other colliding file.

How big is the potential impact of a collision attack? The Google blog outlines the most vulnerable areas for SHA-1 attacks. “You’ll find that hashes play a role in browser security, managing code repositories, or even just detecting duplicate files in storage.” According to TechCrunch, systems that could be compromised by collision include, “document signature, HTTPS certificates, version control (git), backup systems, software updates, ISO checksums and more.”

“Google's announcement just confirms what is already known: SHA-1 is simply not secure”, comments Venafi chief security strategist, Kevin Bocek. "Attacks against SHA-1 are no longer science fiction. Unfortunately, despite the dangers, many organizations are just not reacting quickly.”

This should all be a bit frightening for any organization that has not yet completely migrated away from SHA-1. In fact, Google researchers warned that the vulnerable SHA-1 protocol should no longer be considered secure. The researchers caution SHA-1 laggards to take their findings seriously. “We hope that our practical attack against SHA-1 will finally convince the industry that it is urgent to move to safer alternatives such as SHA-256.”

The reality is that SHA-1 migration has been urgent for a long time. Yet many organizations have had trouble committing to the transition. And repeatedly crying wolf doesn’t seem to have accelerated the transition. In November Venafi research found that 35 percent of organizations were still using SHA-1 certificates. "These companies might as well put up a welcome sign for hackers that says, ‘We don't care about the security of our applications, data and customers',” Bocek told SC Magazine.

It’s well past time to put up a “no trespassing” sign for SHA-1 collision attacks. Browsers are already issuing security warnings for websites that still use SHA-1 certificates. And, even if you have convinced yourself that it’s okay to ignore these warnings, your customers and partners may not agree.

Do you have any SHA-1 certificates lurking in some remote part of your network? Now is the time to dig deep and carefully inspect certificates across all of your your certificate authorities.  

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

Déjà Vu at LinkedIn: Second TLS Certificate Expiry in 2 Years

Déjà Vu at LinkedIn: Second TLS Certificate Expiry in 2 Years

Prepare this presentation and send it to me, once approved you can teach entire team.

Overheard at Machine Identity Protection Global Summit 2019

machine identity protection

Leaders Underscore the Critical Nature of Machine Identity Protection at Inaugural Global Summit

About the author

Scott Carter
Scott Carter

Scott Carter writes for Venafi's blog and is an expert in machine identity protection.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat