Websites need to act fast to protect customer data from SHA-1 attacks and prevent browser shut-out

Major web browsers are to consider blocking the cryptographic hash function Secure Hash Algorithm (SHA)-1 from as early as June this year as it becomes increasingly vulnerable to forgery attacks. In light of this Oscar Arean, technical operations manager of disaster recovery provider Databarracks, advises businesses to act now in order to protect customer data.

The SHA algorithm was developed by the US National Institute of Standards and Technology (NIST) to be used when digitally signing signatures. In effect, it acts as a 'fingerprint' making it easy to tell if a document has been modified. Until recently, many believed the complex algorithm would be immune from hackers due to the significant costs of attacking SHA-1. However, with the advent of increasingly affordable cloud computing, this figure has dropped drastically, as Arean explains:

"Around three years ago, researchers estimated that a practical attack against SHA-1 would cost around $700,000 using commercial cloud computing services. But recently researchers estimated that this could cost between $75,000 and $120,000 renting the Amazon EC2 cloud platform - well within the reach of the cyber criminal's budget. Because of the increased danger of malicious tampering with SHA-1 encrypted documents, Google, Microsoft and Mozilla have decided to stop trusting SHA-1 through their respective web browsers, with actions potentially being taken to block access by as early as this summer (June 2016).

"This will obviously have a big impact on those businesses still using SHA-1. Some websites' password verification, proof-of-work and message integrity processes are still based on the SHA-1 algorithm, meaning that sensitive customer information is at significant risk from dangerous cyber-attacks. Moreover, with the major web browsers snubbing SHA-1 certificates, potential visitors would be blocked or refused access if trying to visit a SHA-1 encrypted site. The results are thus either a breakdown of trust from a website's users, or a complete lack of traffic due to incompatibility with modern browsers. Clearly, both are severely damaging to any website's business and so website managers need to act quickly to ensure their encryption methods are up to date, secure and trusted by both consumers and web browsers."

Thankfully, Arean explains, upgrading SHA-1 to SHA-256 can alleviate these security and compatibility concerns. The process can be straightforward as well, and rests upon working with a strong certificate provider and educating a user base about these changes:

"Organisations looking to upgrade their website's encryption services need only to contact their certificate provider and purchase the SHA-256 certification. That's really it - the provider can make the necessary encryption changes and sign off, as an independent third party, that your site's hashing algorithm is legitimate.

"When educating your users about this change, the situation can become more complicated. Old browsers or operating systems, such as Windows XP SP2, do not support SHA-2. As such, websites need to be clear that after the upgrade, users will need to use new browsers, such as Firefox, which are still compatible with their hardware while supporting the secure SHA-256."

Arean concluded: "Websites that are yet to upgrade to the SHA-256 model need to act quickly - a failure to move away from SHA-1 could mean the end for sites using the now insecure hashing algorithm. It's imperative businesses action this now by making the necessary upgrades."