back to article Time's up for SHA-1 hash algo, but one in five websites still use it

One in five websites (21 per cent) are still using certificates signed with the vulnerable SHA-1 hash algorithm, according to a new survey. Reliance on the obsolete hashing technology leaves companies at greater risk of security breaches and compliance problems, certificate management firm Venafi warns. Venafi's latest study …

  1. Anonymous Coward
    Anonymous Coward

    The end of days.

    Yep,

    It took five extremely clever people and almost 7,000 of GPU/CPU time, but let's ignore the lack of patching, the lack of backups, the lack of encryption, the insecure unhardened CMS with a thousand unnecessary plugins, that most of these sites will be running, and worry about this.

    1. Ken Hagan Gold badge

      Re: The end of days.

      Well if the bad guys can crack SHA-1 then you won't be talking to the site with no patches, no backups, no encryption, an unhardened CMS and a thousand unnecessary plugins, so ignoring it seems perfectly fair.

    2. EnviableOne Bronze badge

      Re: The end of days.

      The Problem Is Identity Assurance, who cares whether its patched or not if you can't be sure you are connecting to the right server.

      Personally, if you are patched, backed up, encrypted, running a secure hardened CMS, with no unnecessary plug-ins and I cant be sure you are who you say you are, I'm not connecting.

  2. msknight Silver badge
    FAIL

    That's all I need...

    A web browser that will refuse to talk with all the web management interfaces of the equipment I'm using. As if I'm not already having enough trouble with backward compatibility. Anyone want to beat vendors with a big stick to issue firmware updates that keep up with web standards on their interfaces?

    1. Version 1.0 Silver badge

      Re: That's all I need...

      "refuse to talk "

      I've had that happen on a couple of sites but each one fixed it very quickly. This fix isn't difficult, it just that they were too lazy to do it until Google held their feet in the fire.

      1. Steve the Cynic

        Re: That's all I need...

        "I've had that happen on a couple of sites but each one fixed it very quickly"

        And when the "site" is the web interface to manage some piece of kit in your network? What then? Do you think it will be easy to get a firmware upgrade to fix the certificate?

    2. Anonymous Coward
      Anonymous Coward

      Re: That's all I need...

      and the good news is Firefox is getting rid of plugins, as if your headaches aren't bad enough now.

      I've already had to drop Chrome as a browser for internal kit. Firefox auto-update is now turned off.

      Better to run an insecure browser than one that doesn't work at all.

      1. dajames Silver badge

        Re: That's all I need...

        Better to run an insecure browser than one that doesn't work at all.

        For some value of "better", perhaps ... methinks it'd be preferable to be unable to use the internet at all than to be gang-banged by it for want of security.

        Your mileage may vary ...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019