My workday verifone
For the past couple of months I’ve been busy helping customers prepare for the coming enforcement of SHA-2, the set of cryptographic hash functions to succeed SHA-1.
These customers have opted to go through the necessary growing pains and education now, which nearly all companies will encounter sometime this year. If you haven’t heard, it’s time to ditch SHA-1 and get on the SHA-2 train. The longer you wait, the less time you'll have to do it without panicking.
Over the coming years, particualrly this one and next, many digital-certificate-consuming devices and applications will begin to display warnings/errors or operationally fail if a digital certificate containing the SHA-1 (or earlier) hash is presented. Why the change? Because the SHA-1 hash has been shown to suffer cryptographic weaknesses to the point where many experts think its days of useful protection are numbered.
Of course, SHA-1 is the most common hash today, and many applications and devices don’t yet accept or understand SHA-2-related hashes or certificates. There's the rub.
Intro to SHA
SHA-1 was designed by the NSA and published as a federal standard in 1995. Hashes are used for digitally signing content for integrity validation and are a part of any digital certificate. Without cryptographically sound hashing algorithms, digital authentication and integrity would be very hard to do, if not impossible.
In 2002, SHA-2 became the new recommended hashing standard. SHA-2 is often called the SHA-2 family of hashes because it contains many different-size hashes, including 224-, 256-, 384-, and 512-bit digests. When someone says they are using the SHA-2 hash, you don’t know which bit length they are using, but the most popular one is 256 bits (by a large margin). Although SHA-2 is constantly attacked and minor weaknesses are noted, in crypto-speak, it's considered "strong." Without question, It's way better than SHA-1, which experts believe will be fallible in the near term.
SHA-1 deprecation handling
No surprise that many software vendors, especially those with browsers (which consume most of the digital certificates we use today), are actively moving to SHA-2. Expect most Internet browsers to display warning messages or errors soon. Here's a decent summary of the major browser vendors' position statements.