SHA-1 is a hash algorithm that has been widely used in cryptography. Hash algorithms are mathematical functions that take a block of data of arbitrary size (called the message) as input, and produce a fixed length output (the message digest, often called the digest or the hash). Two important uses are in the creation of digital certificates, and for verifying the integrity of data.
The key feature of hash algorithms that is important in cryptography is that they are one-way functions - it is easy to calculate the hash of a block of data, but extremely difficult to work out what blocks of data will produce a given hash.
A collision is when two blocks of data are found that produce the same hash. If a technique is found that can produce collisions cost-effectively (given the cost of computer time), then the hash algorithm is broken. This is bad, because it may make it possible for a well-resourced attacker to forge the digital certificates that secure websites.
In 2005, it was shown that breaking SHA-1 was theoretically possible, and more recently it has been announced by Google, Microsoft and Mozilla that their browsers are phasing out support for SHA-1 certificates.
Today it was announced that freestart collisions have been calculated for SHA-1. Hash algorithms use a number of steps, and in the first step an initialisation vector (IV) is supplied in addition to the data being hashed. The IV is a random block of data, and a freestart collision is one where the attacker can choose the IV.
Freestart collisions aren't actual collisions, but they enable a much more accurate projection of the real-world cost of actual collisions - and the new projections aren't good news. In 2012, security expert Bruce Schneier estimated the real-world cost of an actual collision would be $700,000 in 2015 - a significant sum, and out of reach of most organizations. The authors of this new study estimate a real-world cost today of between $75,000 and $120,000 using Amazon EC2 cloud computing services - almost an order of magnitude less. Of course, governments, large corporations and criminal enterprises may have far greater resources, and so the authors say that SHA-1 should be considered broken right now.
This is problematic, as it is two years earlier than expected, and SHA-1 certificates are valid in browsers for another year!
The solution is to replace SHA-1 in your organization as soon as possible. If SHA-1 is being used in either in your SSL/TLS certificates or in SSH or SFTP, you need to immediately upgrade to SHA-256 (SHA-2) certificates, and disable the use of SHA-1 MACs in SSH. CompleteFTP users please take note.
There is some good news though - according to SSL Pulse, over 70% of popular websites are now using SHA-256-signed certificates, and this figure is up 3.8% on last month. So websites are transitioning fairly rapidly. This is probably because as certificates expire, certificate authorities only will supply SHA-256-signed certificates to replace them.