The Dept. of Defense Uses the Outdated SHA-1 Algorithm to Issue Military Website Security Certificates, Raises Concerns over Vulnerability

Depiction of how browsers will display
SHA-1 certificates in 2016. 
The Department of Defense's use of the SHA-1 algorithm to create security certificates for military websites violates NIST's ban on the practice, instated at the beginning of 2014. The Department of Defense had previously planned to retire use of SHA-1 by the end of 2013, migrating to the newer, more secure SHA-256 algorithm for signature generation. However, the discovery of some websites of theirs using SHA-1 brings to light potential vulnerabilities, especially as attempting to break the algorithm becomes easier over time. The push to upgrade from SHA-1 issued certificates is even more urgent as Microsoft plans to discontinue accepting SHA-1 certificates after January 1, 2016. Once these vulnerable websites are migrated to a more secure method of ensuring security, users will be able to safely access them and transmit personal data through them. Until then, these websites pose a security risk and may not even be available to view in browsers starting next year.

No comments: