TL;DR
SHA-1 is considered insecure and has been deprecated by major browsers for years. However, many other technologies rely on it. This guide explains what those are and how to update them.
What is SHA-1?
SHA-1 (Secure Hash Algorithm 1) is a cryptographic hash function used to verify data integrity. It creates a unique ‘fingerprint’ of a file or message. If the fingerprint changes, the data has been altered. Because weaknesses were found in SHA-1, it’s no longer considered secure for many applications.
Why is SHA-1 being deprecated?
Researchers discovered ways to create different files with the same SHA-1 hash (a ‘collision’). This means attackers could potentially substitute malicious content while still appearing to have a valid file. Browsers stopped accepting certificates signed using SHA-1, and other systems are following suit.
Technologies Impacted Beyond Browsers
- Git: Git uses SHA-1 hashes extensively for object identification (commits, trees, blobs).
- OpenSSL: Older versions of OpenSSL supported SHA-1. While modern versions prioritize stronger algorithms, older systems might still rely on it.
- Code Signing: Software developers use code signing to verify the authenticity and integrity of their applications. SHA-1 was a common algorithm for this purpose.
- Digital Certificates (SSL/TLS): As mentioned, browsers have phased out support for certificates signed with SHA-1. This impacts websites using older SSL/TLS certificates.
- PKCS#7/CMS: Used for digital signatures and encryption; older implementations may use SHA-1.
- Email Security (S/MIME): Some email clients and servers used SHA-1 for signing and encrypting emails.
- Hardware Devices: Firmware updates on some hardware devices might be signed using SHA-1.
How to Check if You’re Affected
- Git Repositories: Use the following command to check for objects with SHA-1 hashes:
git fsck --fullThis will identify any commits, trees or blobs that are using SHA-1. While Git doesn’t *require* you to change these (it’s a historical record), it’s good to be aware.
- OpenSSL Configuration: Check your OpenSSL configuration file (usually
openssl.cnf) for any references to SHA-1. Look for lines mentioning ‘sha1’. Modern versions should default to stronger algorithms, but verify.grep sha1 /etc/ssl/openssl.cnf - Code Signing Certificates: Examine your code signing certificates’ details. The certificate information will indicate the hashing algorithm used (SHA-1, SHA-256, etc.). You’ll need to use the appropriate tools for your operating system and certificate provider.
- SSL/TLS Certificates: Use an online SSL checker tool (e.g., SSL Labs Server Test) to analyze your website’s certificates. It will report if any SHA-1 certificates are still in use.
https://www.ssllabs.com/ssltest/
How to Fix the Issues
- Git: There’s generally no need to ‘fix’ SHA-1 hashes within Git history unless you are actively concerned about collision attacks on your repository. If necessary, consider migrating to a new repository.
- OpenSSL: Upgrade to the latest version of OpenSSL. Configure it to prioritize stronger hashing algorithms (SHA-256 or higher). Ensure any applications using OpenSSL are also updated to use these newer algorithms.
- Code Signing: Obtain new code signing certificates that use SHA-256 or a more secure algorithm. Re-sign your software with the new certificates.
- Digital Certificates (SSL/TLS): Replace any SHA-1 SSL/TLS certificates with newer certificates signed using SHA-256 or higher. Your certificate authority can assist you with this process.
- PKCS#7/CMS & Email Security: Update your software and configurations to use SHA-256 or stronger algorithms for digital signatures and encryption. Consult the documentation for your specific email client or server.
- Hardware Devices: Check with the device manufacturer for firmware updates that support newer signing algorithms. If no updates are available, consider replacing the device if security is a major concern.