This article is more than 1 year old

Time's up for SHA-1 hash algo, but one in five websites still use it

Google, Microsoft and Mozilla say they won't trust anyone who hasn't migrated

One in five websites (21 per cent) are still using certificates signed with the vulnerable SHA-1 hash algorithm, according to a new survey.

Reliance on the obsolete hashing technology leaves companies at greater risk of security breaches and compliance problems, certificate management firm Venafi warns.

Venafi's latest study shows there has been improvement since November 2016, when a third (35 per cent) of websites were still using SHA-1.

SHA-1 is an outdated encryption algorithm known to be potentially insecure since 2005. Last month researchers at Google worked with academics to demonstrate a successful collision attack on the algorithm, a practical (if difficult and resource intensive) attack that underlines the need for change.

Google, Microsoft and Mozilla set deadlines in early 2017 for websites to migrate, saying they would no longer trust sites otherwise.

Newly issued certificates using the SHA-2 family of hash functions solve these problems, but Venafi's research shows that many companies have not replaced all their certificates with ones signed by SHA-2. This leaves organisations open to security breaches, compliance problems, and outages that can affect security, availability and reliability.

Web transactions and traffic may be disrupted in a variety of ways due to insecure SHA-1 certificates. Browsers will display warnings to users that the site is insecure, potentially prompting users to look for an alternative site.

In addition to the serious impact on user experience, websites that continue to use SHA-1 certificates are likely to experience a significant increase in help desk calls and a reduction in revenue from online transactions as users abandon websites due to security warnings.

Kevin Bocek, chief security strategist for Venafi, commented: "Even though most organisations have worked hard to migrate away from SHA-1, they don't have the visibility and automation necessary to complete the transition. We've seen this problem before when organisations had a difficult time making co-ordinated changes to keys and certificates in response to Heartbleed, and unfortunately I'm sure we are going to see it again."

Venafi's research is based on analysis of data from more than 33 million publicly visible IPv4 websites using Venafi TrustNet, a proprietary database and realtime certificate intelligence service. ®

More about


Send us news

Other stories you might like