Mozilla announces that they are very close to the end of their decryption plan for the SHA-1 algorithm in the public Web.
Following the Google’s announcement about their latest discovery in collaboration with CWI Amsterdam researchers about the first practical collision for SHA-1, Mozilla says that this only proves the insecurity of this algorithm and supports something which they have believed in for a while – SHA-1 must be avoided from security use on the Web.
The plan of Mozilla for the deprecation of SHA-1 is first announced back in 2015. Then, the company said they would disable SHA-1 for a lot of Firefox users since the release of the Firefox 51, using a slow paced gradual phase-in technique. “Tomorrow, this deprecation policy will reach all the Firefox users. It is enabled by default in the Firefox 52,” the company’s announcement says.
Coming to the move, Mozilla claims that they will only affect people who are accessing websites which have not migrated to the SHA-2 certificates, which is less than 0.1% web traffic.
“In parallel to the phasing out in the insecure cryptography from the Firefox, we will continue our outreach efforts to help the website operators use modern and more secure HTTPS,” they add.
Earlier today, Google announced that it has managed to demonstrate the first ever SHA-1 hash collision. That means that they have managed to create two different documents that have the same SHA-1 hash signature.
While it’s true that Google put a lot of hours, manpower and computing resources at work to achieve this, it proves that SHA-1 is outdated and no longer secure in any way.
“Today, 10 years after of SHA-1 was first introduced, we are announcing the first practical technique for generating a collision. This represents the culmination of two years of research that sprung from a collaboration between the CWI Institute in Amsterdam and Google,” the company wrote in a blog post.