News

Google Details SHA-1 Web Security Issues

• By Kurt Mackie
• 02/27/2017

Details on the broken state of the Secure Hash Algorithm-1 (SHA-1) were released by security experts at Google last week.

SHA-1 is a 20-year-old cryptographic approach that's long been used to protect Web traffic. Its use was officially deprecated by the National Institute of Standards and Technology back in 2011, but industry has been slow to respond to a threat that seemed somewhat theoretical.

The feat of breaking SHA-1, carried out by researchers, is viewed as proof that earlier theoretical claims are correct that the hashing algorithm is compromised and exposed to attacks, enabling phishing, man-in-the-middle attacks and content spoofing. The research was carried out using two PDF files in a "collision attack," which generated an SHA-1 hash that could be used for fraudulent purposes. Google's example of the kind of fraud enabled was the ability to change the terms of transmitted contract documents.

The breaking of SHA-1 was conducted by researchers at the Cryptology Group at Centrum Wiskunde & Informatica (CWI) in the Netherlands and the Google Research Security, Privacy and Anti-abuse Group. It's the first time that SHA-1 has been broken, according to Google's announcement. The researchers don't believe the exploit is widely known, but it'll soon be published in accordance with Google's 90-day vulnerability disclosure policy.

A Google document explaining the problem indicated that "any application that relies on SHA-1 for digital signatures, file integrity, or file identification is potentially vulnerable." The flaw particularly affects GitHub and Subversion software repositories, which are heavily dependent on SHA-1 use, according to Google.

The attack on SHA-1 carried out by the researchers was faster than a typical brute-force attack, even though the researchers had to run more than 9 quintillion SHA-1 computations to complete the attack, Google explained.

Browser makers such as Apple, Google, Microsoft and Mozilla have worked in recent years to fully block the use of SHA-1. Nonetheless, SHA-1 is still "widely used in 2017 for document and TLS certificate signatures," according to a paper on the topic (PDF) by the researchers. A switch to using cryptographic hashes such as SHA-256 and SHA-3 is recommended, but industry torpor has persisted, perhaps because the attacks weren't seen as practical. The researchers are hoping that their efforts will now change that mindset.

"We hope our practical attack on SHA-1 will cement that the protocol should no longer be considered secure," Google's announcement stated.

Users of the Google Chrome browser are "automatically protected from insecure TLS/SSL certificates," Google indicated. Chrome version 56 removes support of SHA-1 certificates. Mozilla announced this week that support for SHA-1 in Firefox will come to an end on Feb. 24 in version 52 of the browser. Microsoft has described a more gradual phase-out plan for the use of SHA-1 in its browsers. In December, it published a guide for organizations, which outlined those phases.

According to that plan, Microsoft was to have implemented a warning procedure for Internet Explorer and Edge users that was supposed to take effect after Feb. 14 with its "update Tuesday" software patch release, but since those February updates got deferred to March, it's unclear if that approach is in effect. Under this scheme, users are supposed to see a warning in their browsers when SHA-1 use is encountered.

Later this year, another phase of Microsoft's plan will take effect. At that point, SHA-1 use will be distrusted by Windows systems. In an update to a Nov. 18 Edge blog post, Microsoft announced a mid-year target for this total SHA-1 deprecation:

We are updating our timelines to deprecate SHA-1 by mid-2017 to ensure compliance in all configurations and scenarios for Microsoft Edge and Internet Explorer 11. At that time, these browsers will prevent sites that are protected with a SHA-1 certificate from loading and will display an invalid certificate warning. Additionally, the next release of Windows 10 will block SHA-1 by-default in the browser.

Some credit goes to Microsoft in the recent SHA-1 research by CWI and Google. Microsoft produced a tool that can be used to test files to see if they've been subject to a collision attack. Ironically, the tool is available on GitHub, which is one of the code repositories described as being heavily dependent on SHA-1.

In related news, Google's Project-Zero has once again surfaced an unpatched vulnerability in Microsoft's products after Google's 90-day grace period to get a fix expired. (Earlier this week, an information disclosure problem also surfaced via Project-Zero.) This time, the flaw applies to 64-bit Microsoft Edge and IE 11 browsers on Windows Server 2012 R2, although the Google researcher's post at Project-Zero suggested that 32-bit versions of the browsers likely would be affected, too. The proof-of-concept description suggested that the browsers could get crashed from the exploit, which leverages a type confusion flaw.