Hash functions such as SHA-1 are crucial in digital business (f.e. fintech) to produce a small piece of text (the digest) from a larger document. This digest is then a unique representation of the document. No two dif­fer­ent documents should have the same digest. Last week Google announced that they can change a PDF in such a way that two dif­ferent PDFs have the same SHA-1 hash value. Thus, the digest is no longer unique.

CC BY-SA 2.5, https://commons.wikimedia.org/w/index.php?curid=1446602

"SHA-1 has been broken." This is a message we hear since 2004. The inventor of SHA (NIST - National Institute of Standards and Tech­no­lo­gy) urges everybody to move to newer hash function since then.

Why is this a problem? HTTPS and SSL/TLS (secure web communication) rely on a certif­icate infra­structure, it guarantees, for instance, that https://ubs.com is really UBS and not some web server set up by your friendly hacker next door. For this you send some small documents (SSL certificates) to parties (certificate author­ities) which sign your certificates and check that ubs.com is really UBS. For this hash functions like MD5 and SHA-1 were used in the past. Being no longer deemed secure enough (MD5 is completely broken and SHA-1 is now for sure on its way out), those certificates can be faked.

What does this mean for system ad­min­is­tra­tors? Make sure you change your SSL cer­tif­i­cates every 2-3 years.

Check if your website is currently still using a SHA-1 certificate, if yes, replace it. You can use the following website to check this: https://shaaaaaaaaaaaaa.com/ (13 “a”).

If you get a certificate from a certificate author­ity, make sure, it's using SHA-256. Make sure you use recent enough browsers which a) support SHA-256 and b) present a big fat red warning, if a site is still using SHA-1 (or even MD5). Most current browsers do this.

Back to Compliance