A long time coming... the demise of SHA-1

2016 so far has been a year of infamy, it's seen society sadly lose some of its shining lights in sport, entertainment, culture and now cryptography.

The long time deprecation of the ubiquitous and stalwart hashing algorithm first developed over 20 years ago by the National Security Agency has been on a slow wind down for the past 10 years.

This seems to be the year where tech giants such as Google, Microsoft and Mozilla are taking the plunge and exstinguishing this once bright light of secure hashing.

Used everywhere from IPSec, TLS, PGP, SSH and even in Nintendo's Wii during the boot process, Microsoft have deemed 2016 to be the year where they finally stop accepting SHA-1 certificates.

Google have followed a similar tack and initiated deprecation way back in version 39 of Chrome where HTTPS sites using SHA-1 with validity dates through to 2017 will no longer be reported to users as trustworthy.

But is this all coming just a little too late?

Bruce Schneier wrote an article in Computerworld in August 2004 highlighting the need for eventual replacement of the then current hashing technologies as well as a prescient warning of the reducing cost of collision attacks against the once secure standards, which he further revised in 2012.

This was all but fully realised by security researchers Marc Stevens, Pierre Karpman and Thomas Peyrin in their freestart collision project, jocularly named 'The SHAppening'.

The message from Stevens, Karpman and Peyrin are clear in confirming the prior warnings from Schneier from over 10 years ago; anyone with the available resources can and probably will compromise this ageing technology and now today, those resources are more affordable than ever.

I'm sure it would be laborious and somewhat unnecessary for me to list the technologies and tools that would be at risk of compromised SHA-1 function however the impact would be felt by any one of us that interacted with this technology be it in our web browsers for digital banking, our online purchases, VPNs, secure emails and on and on.

In this age of increased reliance and apetite for security and privacy online, the demise of SHA-1 is something that 2016 can't bring quick enough....hoping only that in itself is not too late.