Hash functions such as SHA-1 are crucial in digital business (f.e. fintech) to produce a small piece of text (the digest) from a larger document. This digest is then a unique representation of the document. No two dif­fer­ent documents should have the same digest. Last week Google announced that they can change a PDF in such a way that two dif­ferent PDFs have the same SHA-1 hash value. Thus, the digest is no longer unique.

Datenschutz symbolbild 384

CC BY-SA 2.5, https://commons.wikimedia.org/w/index.php?curid=1446602

"SHA-1 has been broken." This is a message we hear since 2004. The inventor of SHA (NIST - National Institute of Standards and Tech­no­lo­gy) urges everybody to move to newer hash function since then.

Why is this a problem? HTTPS and SSL/TLS (secure web communication) rely on a certif­icate infra­structure, it guarantees, for instance, that https://ubs.com is really UBS and not some web server set up by your friendly hacker next door. For this you send some small documents (SSL certificates) to parties (certificate author­ities) which sign your certificates and check that ubs.com is really UBS. For this hash functions like MD5 and SHA-1 were used in the past. Being no longer deemed secure enough (MD5 is completely broken and SHA-1 is now for sure on its way out), those certificates can be faked.

What does this mean for system ad­min­is­tra­tors? Make sure you change your SSL cer­tif­i­cates every 2-3 years.

Check if your website is currently still using a SHA-1 certificate, if yes, replace it. You can use the following website to check this: https://shaaaaaaaaaaaaa.com/ (13 “a”).

If you get a certificate from a certificate author­ity, make sure, it's using SHA-256. Make sure you use recent enough browsers which a) support SHA-256 and b) present a big fat red warning, if a site is still using SHA-1 (or even MD5). Most current browsers do this.

Complete Revision of the Federal Data Protection Act

The complete revision's draft of the Federal Data Protection Act is currently in political consultation. Data Protection is to be increased by giving people more control over their private data as well as reinforcing transparancy regarding the handling of confidential data.

Links: draft, report

Eurospider Information Technology AG
Schaffhauserstrasse 18
8006 Zürich

 

Cookies make it easier for us to provide you with our services. With the usage of our services you permit us to use cookies.
More information Ok Decline