Over a Million Websites Are Still Using SHA-1
Faulty hash algorithm persists, despite efforts by experts to raise awareness.
A study by the security firm Netcraft has determined that over a million websites are still using SSL certificates based on the SHA-1 hashing algorithm, which is known to be insecure. Several high-profile companies are among the list of organizations that still use the discredited SHA-1.
Security experts have known for a few years that SHA-1 is vulnerable to attack, with the only question being how much does it cost to attack it? According to a report in the Register, in 2012, it was estimated that a successful attack on SHA-1 would cost $173,000 in compute time by 2017. Netcraft reports the attack can now be accomplished with $75-$120K in Amazon EC2 compute resources.
Although such as rate would rule out high school script kiddies and small-time meth addicts, a $75,000 investment to hack a corporate network is well within the budget of many criminal and government espionage organizations.
All networks are strongly advised to upgrade to certificates based on SHA-2 and SHA-3-family algorithms.