A pair of researchers from INRIA, the French Institute for Research in Computer Science and Automation, have published an academic paper titled “Transcript Collision Attacks: Breaking Authentication in TLS, IKE, and SSH” in which they describe a series of transcript collision attacks against the ageing SHA-1 and MD5 hashing algorithms as they’re implemented in widely used security protocols such as TLS (Transport Layer Security), IKE (Internet Key Exchange) and SSH (Secure Shell).
The newly demonstrated attacks raise the urgency to move away from SHA-1 as the hashing algorithm used for signing certificate signatures for HTTPS.
All major browser vendors have plans to stop support for SHA-1, or have already done so. Microsoft was amongst the first to recommend the deprecation of both SHA-1 and RC4 as early as November 2013. Google and Mozilla soon followed suit in September 2014. However, in October 2015, the CA/Browser Forum, proposed a motion to allow the SHA-1 certificates to be issued through December 2016—the reason being that several large enterprises did not expect to be able to fully make transition to the more modern SHA-256 certificates by the end of 2015.
In December 2015, Facebook warned that cutting-off SHA-1 would mean that based on its data, as many as 7% of browsers will not be able to support the newer SHA-256 standard, implying that tens of millions of people will not be able to securely use the Internet come January of this year.
This new attack, called SLOTH (Security Loss due to the use of Obsolete and Truncated Hash constructions), shows that MD5 and SHA-1’s use in mainstream cryptographic protocols such as TLS significantly reduces security. This research not only strongly prompts for the deprecation date for SHA-1 to be moved up, but to be “forcefully disabled in existing protocols”, given that practical SHA-1 collisions are now within the reach of well-resourced nation-state attackers.
What you should do
Given that all major browsers will stop supporting SHA-1 (or stop displaying warnings to users), or in the case of Google Chrome and Mozilla Firefox, this has already been stopped, now is a good to replace SHA-1 certificates if you’re using any.
If you need to support older browsers (i.e. Windows XP Service Pack 2 or older, Android v2.2 or older), you may want to consider falling back to SHA-1 for legacy devices by using two certificates—ECDSA+SHA256 for modern clients and RSA+SHA1 for legacy clients, but it’s unfortunately a tricky affair if you’re not using Apache HTTP Server (Apache HTTP Server allows the use of more than one certificate).