Many US government organizations use newly issued certificates signed with SHA-1

Feb 5, 2014 15:26 GMT  ·  By

In 2011, the National Institute of Standards and Technology (NIST) released a special publication with recommendations on transitioning the use of cryptographic algorithms. At the time, NIST noted, “SHA-1 shall not be used for digital signature generation after December 31, 2013.”

However, experts from Netcraft noticed that, on January 23, a newly released SSL certificate issued by VeriSign for nist.gov still used SHA-1. An SHA-1 certificate has also been issued this year for xnfiles.nist.gov.

NIST is not the only US government organization that continues to use the outdated hashing algorithm. The list includes the Obamacare website healthcare.gov, the Navy’s donogc.navy.mil and several Bankruptcy Court sites.

Worryingly, 92% of the certificates issued this year use SHA-1.

While it’s not an easy task to impersonate HTTPS websites by finding SHA-1 hash collisions, it’s certainly not impossible, especially for a well-funded attacker such as a government agency.

It’s worth noting that after Netcraft published its report, NIST replaced the certificate on nist.gov with one that uses SHA-256. However, the certificate for xnfiles.nist.gov still hasn’t been replaced.