14 DAY TRIAL // Two weeks ago, researchers from universities in France, Holland, and Singapore revealed they managed to fully crack the SHA-1 encryption using less financial resources than previously expected.
By cutting down the cost of the attack to a sum between $75,000 and $120,000 (€67,000 and €107,000), the researchers made future attacks on SHA-1 data much more plausible, especially from cyber-criminal groups and state-sponsored actors.
The problems with SHA-1 have been known for many years, and many companies have already moved on to SHA-2 or even SHA-3. Mozilla had already announced this back in September 2014, but yesterday it revealed it reached phase 2 out of its 3-stage plan.
According to Mozilla's Richard Barnes, the company now shows a warning in Firefox's Web Console that they should not use SHA-1 certificates anymore, and they have also implemented an “Untrusted Connection” error whenever SHA-1 certificates issued after January 1, 2016, are encountered in Firefox.
Mozilla's team now only has to add an extra error to Firefox for a similar “Untrusted Connection” error whenever an SHA-1 certificate is encountered in Firefox after January 1, 2017.
The recent cracking of the SHA-1 algorithm has made Mozilla rethink its strategy
"We are re-evaluating when we should start rejecting all SHA-1 SSL certificates (regardless of when they were issued). As we said before, the current plan is to make this change on January 1, 2017," said Richard Barnes. "However, in light of recent attacks on SHA-1, we are also considering the feasibility of having a cut-off date as early as July 1, 2016."
While you wouldn't think this was important, a recent study carried out by Netcraft and published a few days ago reveals that, even in 2015, 20 years after SHA-1 was released, over 1 million websites are still using it.
The good news is that, since January 2014, SHA-2 adoption has gone up, currently doubling the number of sites that deploy SHA-1. The CA/Browser Forum will also forbid the issuing of new SHA-1 certificates starting with 2016.
