The SHA-1 security standard used for digital signatures has been deemed vulnerable by security specialists, prompting accelerated migration to SHA-2 for better security. Privacy specialist Bruce Schneier has predicted in the past that hackers would be able to afford to attack SHA-1 by 2015, as costs were estimated at $700,000.
However, recent research using the power of the cloud and rented graphics cards have significantly dropped the price of renting such services that could be used at breaking the SHA-1 cypto hash.
“We now think that the state-of-the-art attack on full SHA-1 as described in 2013 may cost around 100,000 dollars renting graphics cards in the cloud,” said Marc Stevens of Centrum Wiskunde & Informatica in the Netherlands. “However, we showed that graphics cards are much faster for these attacks and we now estimate that a full SHA-1 collision will cost between 75,000 and 120,000 dollars renting Amazon EC2 cloud over a few months today, in early autumn 2015.”
Microsoft started migrating to SHA-2 in 2013 and Google in 2014, as experts also encouraged web operators to comply with the specifications. In light of the recent research, some argue that web attacks on SSL certificates that still use SHA-1 will increase.
“We urge the industry to consider shifting this deadline up and enterprises should not wait any longer to migrate to SHA-2,” said Kevin Bocek, vice president of security strategy & threat intelligence at Venafi. “We also recommend that IT security teams find these SHA-1 certificates immediately, automate the changing of them and report on their progress way before this deadline approaches – procrastinating on this is just a disaster waiting to happen.”
Everyone still using SHA-1 is encouraged to migrate to SHA-2 before any serious damages occur, potentially leading to data loss or privacy violations.