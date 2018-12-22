from the eh-I'll-get-around-to-it dept.
NIST calls time on SHA-1, sets 2030 deadline:
The US National Institute of Standards and Technology (NIST) says it's time to retire Secure Hash Algorithm-1 (SHA-1), a 27-year-old weak algorithm used in security applications.
"We recommend that anyone relying on SHA-1 for security migrate to SHA-2 or SHA-3 as soon as possible," said NIST computer scientist Chris Celi, in a canned statement on Thursday.
As soon as possible isn't necessarily all that soon: NIST says you should be rid of SHA-1 from your software and systems by December 31, 2030. Meanwhile, the tech industry has largely moved on already.
[...] Despite its known weakness, SHA-1 has shown up in recent years propping up legacy applications and providing shoddy password storage. Microsoft finally got around to dropping SHA-1 from the Windows update process in August 2020.
[...] Celi explains that modules still using SHA-1 after 2030 will be ineligible for purchase by the federal government. Having eight years to submit an update may seem like more than enough time, but Celi warns there may be a backlog of submissions as the deadline nears. Developers wishing to avoid a potential validation delay should submit revised code sooner rather than later.
(Score: 2) by bzipitidoo on Monday December 19, @03:01AM
Large organizations can be incredibly slow to update. I really don't know what their deal is. They're super conservative about software updates, and I can understand that. But to stick with stuff that was cracked as much as a decade or more ago and for which there's been a good replacement available for at least the past 5 years, I regard as not being conservative, that's lazy, bureaucratic sluggishness.
My own anecdote about that was the time I was given access to some government data. They insisted on telephoning me to tell me the password, because that was more "secure" than email. I suggested they encrypt the email if they were so worried about it, but they didn't seem to understand what that meant. Okay, fine, tell me the account info over the phone, and hope it isn't tapped. Then came the kicker. The account info was for ... telnet! Nope, they didn't have ssh set up. ssh had been available for 7 years at that point, but they were still using plain old telnet. SMH.