On September 5th, Google announced that it will begin ‘sunsetting’ the SHA-1 cryptographic hash algorithm. This algorithm was designed almost a decade ago in 2005 and Google is now telling the world that it has not withstood the test of time. SHA-1 is currently used in SSL encrypted certificate signatures for HTTPS. This allows a website to encrypt your connection to the site and verify that the site you are connecting to is genuine.
In its statement, Google cites the ease and affordability of collision attacks against SHA-1 for the decision to phase out the algorithm. Basically, this means that Google is worried that nefarious individuals will engineer certificates that produce the same SHA-1 hash as the legitimate HTTPS certificates. This would allow these individuals to pose as a legitimate site, such as facebook.com, in order to scam, phish, or infect users.
How will this problem be fixed? In the short term, Google will soon be changing the visual security indicator for HTTPS in Chrome to alert users of the issue. Additionally, Google is looking towards the successor of SHA-1, SHA-2, to replace the outdated cryptographic hash algorithm. SHA-2 provides substantially more security and is supported by nearly every current operating system and browser. Google also is not alone in this fight: both Microsoft and Mozilla have announced plans to move away from SHA-1 in the future.
On September 10, 5 million Gmail accounts and passwords appeared on a forum on a Russian Bitcoin website. Luckily information about this news is still surfacing, like the fact that some of these account names and passwords aren’t very recent. Some go back as far as three years, though considering most people don’t change their passwords very often, there is room for concern.
Google has since confirmed that there was no breach, though. So how did all these accounts and passwords leak? As it turns out, people have a bad habit of using one password for multiple accounts, including third party accounts separate from Google. Most of these third party sites require an email in order to contact the user or send him or her updates. Those third party sites are the ones that were hacked, and the account names and passwords were taken.
While many people are panicking about the situation, it is worth noting that most of the accounts are Russian, though there certainly are English ones on the list, and that 60% are actually active. Even so, Google has told users to check their accounts and to strengthen their passwords.