Databarracks has warned that websites are risking customer data by not updating the encryption that they use on their website. As worrying as this is, users have a bigger concern and that is because the fix will leave many older browsers and operating systems unable to support updated encryption.
Cloud computing has undermined SHA-1
At the core of this problem is the popular but aging Secure Hashing Algorithm 1 or SHA-1 as it is more commonly known. It was designed and published just over 20 years ago (1995) by the US National Security Agency. It was quickly adopted as a standard around the world for digital signing signatures and is used in a wide range of applications and protocols.
10 years ago a group of security researchers discovered data that showed the long term survival of the SHA-1 encryption was unlikely. Unfortunately, as with many things based on technology, Moore’s law and the advance of time have brought this prediction to fruition. One of the biggest concerns for any encryption is that given enough computing power it can eventually be defeated. That is exactly what Oscar Arean, technical operations manager of disaster recovery provider Databarracks is now warning about.
According to the Databarracks press release Arean said: “Around three years ago, researchers estimated that a practical attack against SHA-1 would cost around $700,000 using commercial cloud computing services. But recently researchers estimated that this could cost between $75,000 and $120,000 renting the Amazon EC2 cloud platform – well within the reach of the cyber criminal’s budget.”
Web browsers stopping support for SHA-1
Arean goes on to say: “Because of the increased danger of malicious tampering with SHA-1 encrypted documents, Google, Microsoft and Mozilla have decided to stop trusting SHA-1 through their respective web browsers, with actions potentially being taken to block access by as early as this summer (June 2016).”
This is likely to cause significant disruption to users and companies that rely on the web for business. The reason for this is that visitors trying to access websites who rely on digital certificates protected by SHA-1 would have problems accessing the websites. As bad as this sounds there is a simple solution and that is to upgrade SHA-1 to the newer SHA-256. This is much stronger and likely to withstand attacks for a much longer period of time.
Upgrading an all round challenge
As we saw with attacks against OpenSSL however, having and implementing a fix are two different things. It took many months before users of OpenSSL properly updated their certificates and in that time many were open to, and were victims of, cyberattacks. In this case it is not just cyberattacks that are the issue but the inability of users to access websites and do eCommerce.
It is not just websites and digital signatures that are the problem. Users will need to make sure that they upgrade their browsers irrespective of whether they want to. Over the last two years some companies have started introducing charges for users of very old browsers due to the excessive costs of supporting their limited feature set. In this case there will be no support, the users will just be completely locked out.
Operating systems such as Microsoft Windows XP and earlier are also a problem. There is not only no support but as they are no longer supported by Microsoft there will be no patch for them. The same issue affects older versions of other operating systems and users will need to be prepared for some upgrades or accept that they can no longer access parts of the Internet.
The timescale on this is relatively short. Microsoft will begin to push automatic updates to users of its Internet Explorer and Edge browsers within 3 months. Other browser manufacturers are likely to do the same. This means that IT departments need to be working with their web support teams today not in May or even June. Rolling out a fix and getting certificates regenerated will take some time and this has to be done properly to prevent ongoing problems.
This is unlikely to be the last change we will see in the near future. Cloud computing is putting huge amounts of processing power into the hands of everyone. Cybercriminals have already shown through the development of the Dark Net and cloud-based solutions such as Hacking-as-a-Service and Malware-as-a-Service, that they are willing to and have the funds to invest in the latest technology.
Beyond the risk of cybercriminals and the loss of data is the risk of losing customers and business. If the cybercriminals don’t get you then the loss of revenue just might.