Google was able to crack the code on an old cryptographic algorithm that had been used online to check the authenticity of digital artifacts.
According to a report by Forbes, the cryptographic algorithm is called SHA-1, and by using a ton of math and computing power, Google and researchers from the CWI Institute were able to create a different file and gave it the same hash or string of characters as SHA-1. Forbes noted the attack Google and the CWI Institute demonstrated is called collision and is very rare.
Forbes reported the attack on SHA-1, which Google is calling the Shattered attack, may work in situations where the SHA-1 is still trusted. Forbes noted GNuPG e-mail encryption still considers SHA-1 safe, and Microsoft still uses it even if it is phasing it out.
Although Google was able to hack the SHA-1, Forbes noted people shouldn’t be too concerned since SHA-1 is old, and while widely deployed, big companies are downplaying SHA-1 and won’t use it for verification processes. The Chrome browser, noted Forbes, will automatically tag any SSL certificate that uses SHA-1 as insecure. Microsoft has already announced it would phase out SHA-1 by the middle of 2017.
A spokesperson for Microsoft told Forbes: “Today’s report is further evidence that SHA-1’s useful lifetime has ended as part of the normal lifecycle of encryption technologies. Microsoft has worked with the industry since 2012 to phase out the use of SHA-1. Microsoft Edge and IE 11 do not consider websites using SHA-1 certificates secure, so do not show the lock icon that’s used to indicate a secure site in the browser’s address bar.”
Google is hoping its research will drive more companies to stop using SHA-1. “We hope that our practical attack against SHA-1 will finally convince the industry that it is urgent to move to safer alternatives such as SHA-256,” Google said in a blog post, noted Forbes.