Google to Begin Phasing Out SHA-1

On September 5th, Google announced that it will begin ‘sunsetting’ the SHA-1 cryptographic hash algorithm.  This algorithm was designed almost a decade ago in 2005 and Google is now telling the world that it has not withstood the test of time.  SHA-1 is currently used in SSL encrypted certificate signatures for HTTPS.  This allows a website to encrypt your connection to the site and verify that the site you are connecting to is genuine.

In its statement, Google cites the ease and affordability of collision attacks against SHA-1 for the decision to phase out the algorithm.  Basically, this means that Google is worried that nefarious individuals will engineer certificates that produce the same SHA-1 hash as the legitimate HTTPS certificates.  This would allow these individuals to pose as a legitimate site, such as, in order to scam, phish, or infect users.

How will this problem be fixed?  In the short term, Google will soon be changing the visual security indicator for HTTPS in Chrome to alert users of the issue.  Additionally, Google is looking towards the successor of SHA-1, SHA-2, to replace the outdated cryptographic hash algorithm.  SHA-2 provides substantially more security and is supported by nearly every current operating system and browser.  Google also is not alone in this fight: both Microsoft and Mozilla have announced plans to move away from SHA-1 in the future.

-Tyler Zimmermann