Tips General

Google helps put aging SHA-1 encryption out to pasture

google-helps-put-aging-sha1-encryption-out-to-pasture photo 1 Google

The decades-old SHA-1 encryption used to protect websites is already dying, but a discovery from Google and security researcher CWI Amsterdam could be the killing blow. For the first time, they've found a way to generate a "collision" and create the same critical hash function multiple times. The discovery will make it 100,000 times easier for attackers to slip malicious files into websites or servers than by a brute force attack. That new should help end its use, increasing security around the internet.

Breaking SHA-1 has been a goal of security users for quite a while, so it's quite a feather in Google's cap to be first. (It's possible, though, that the NSA, Russians or others have had one that they've kept under wraps.) The team said that the collision "is one of the largest computations ever completed," so Google's cloud infrastructure was an indispensable part of that.

There's no great danger for users. Google Chrome, Microsoft's Edge, Firefox and all other major browsers flag HTTPS sites that use SHA-1 as insecure with a big red warning -- so very few use it for verifying digital content. The team won't release the attack (Dad-jokingly called "SHAttered") for 90 days, in order to give affected sites time to deal with it.

google-helps-put-aging-sha1-encryption-out-to-pasture photo 2

Also, even though Google has made it 100,000 times faster to crack an SHA-1 certificate, it would still require some serious computing horsepower to do so. Google says it requires 12 million GPUs a full year to brute force a certificate, while the SHA-1 "Shattered" attack takes just 110 GPUs. For now, however, you'd still need a supercomputer or server farm (or a bot farm) to crack one in a reasonable amount of time.

As a proof of concept, Google is hosting two PDFs with the different content but the same hash, and has supplied the public with a free detection app. It had a lot of motivation to be first with a collision. It led the movement to deprecate SHA-1 because it's advertising business relies heavily on secure sites and ad platforms -- making the discovery a giant "I told you so" of sorts.

Recommended stories

Dealing with Aging Eyes, Screen Size, and Resolution

Whether it is growing older or other medical conditions that affect our eyesight, we need to make adjustments to our computers or hardware setups to make reading easy and pleasurable once again. But what is the best course of action to choose? Today’s SuperUser Q&A post offers up some advice for a

What Are MD5 & SHA-1 Hashes, and How Do I Check Them?

You may have seen MD5 hashes listed next to downloads during your internet travels, but what exactly are they? Let’s take a look at what these cryptic strings are and how you can use them to verify your downloads.

More stories

Recent Post

Recent news

SiteMap | Privacy Policy | Contact | rss

Developed BY PACMS-V6.88

Home | reviews | business how to | news | Best Tech