14 DAY TRIAL // Mozilla announces it is getting close to the end of its deprecation plan for the SHA-1 algorithm in the public Web.
Following Google's announcement in collaboration with CWI Amsterdam researchers regarding the first practical collision for SHA-1, Mozilla says this only affirms the insecurity of the algorithm and reinforces something that they've believed in for a while - SHA-1 must be retired from security use on the Web.
Mozilla's plans for the deprecation of SHA-1 were first announced in 2015. Then, last fall, the company said they'd been disabling SHA-1 for an increasing number of Firefox users since the release of Firefox 51, using a gradual phase-in technique. "Tomorrow, this deprecation policy will reach all Firefox users. It is enabled by default in Firefox 52," the company's announcement reads.
As for the effects of this move, Mozilla claims that it will only affect people accessing websites that have not yet migrated to SHA-2 certificates, which is under 0.1% web traffic.
"In parallel to phasing out insecure cryptography from Firefox, we will continue our outreach efforts to help website operators use modern and secure HTTPS," they add.
Big day for online security
Google announced earlier today that it has managed to demonstrate the first ever SHA-1 hash collision. This means that they've managed to create two different documents that have the same SHA-1 hash signature.
While it's true that Google put a lot of hours, man power and computing resources at work to achieve this, it proves that SHA-1 is outdated and no longer secure in any way.
"Today, 10 years after of SHA-1 was first introduced, we are announcing the first practical technique for generating a collision. This represents the culmination of two years of research that sprung from a collaboration between the CWI Institute in Amsterdam and Google," the company wrote in a blog post.