Number: IRCNE2015102666
Date: 2015/10/25
According to “computerworlduk”, in light of recent advances in attacks against the SHA-1 cryptographic function, Mozilla is considering banning digital certificates signed with the algorithm sooner than expected.
The CA/Browser Forum, a group of certificate authorities and browser makers that sets guidelines for the issuance and use of digital certificates, had previously decided that new SHA-1-signed certificates should not be issued after Jan. 1, 2016.
Browser makers have also decided that existing SHA-1 certificates will no longer be trusted in their software starting Jan. 1, 2017, even if they're technically set to expire after that date.
Earlier this month Thomas Peyrin of Nanyang Technological University (NTU) in Singapore, Marc Stevens of the Centrum Wiskunde and Informatica in the Netherlands and Pierre Karpman of both NTU and Inria in France, published a research paper that describes a new way to break SHA-1.
"We advise the industry to not play with fire, and accelerate the migration process toward SHA2 and SHA3, before such dramatic attacks become feasible," Thomas Peyrin told the IDG News Service earlier this month.
According to Internet services company Netcraft, almost one million SHA-1 SSL certificates are still in use on the Internet, 120,000 of which were issued in 2015 and 3,900 having expiry dates past Jan. 1, 2017. According to statistics from the SSL Pulse project, 24 percent of the world's top 143,000 HTTPS websites by traffic use SHA-1 certificates.
- 5