One in five websites uses insecure SHA-1 certificate

More than a fifth (21 percent) of all websites are still using an insecure certificate, which is leaving them open to different types of cyberattacks. This is according to a new report from cyber security experts Venafi.

The report says many sites are still using the SHA-1 certificate, which means they’re vulnerable to man-in-the-middle attacks, brute force attacks and collision attacks, all of which can expose the site’s sensitive data.

This means extra danger for people providing financial, or sensitive information to sites.

Venafi says there has been improvement since November 2016, when more than a third (35 percent) of sites used this same certificate. "However, there is still a long way to go to ensure online security," a Venafi’s spokesperson said.

The funny thing with SHA-1 is that it has been known as an insecure algorithm since 2005. Google, Microsoft and Mozilla set deadlines in early 2017 for sites to migrate, saying they would no longer trust those still using the SHA-1.

"The results of our most recent analysis are not surprising," says Kevin Bocek, chief security strategist for Venafi. "Even though most organizations have worked hard to migrate away from SHA-1, they don’t have the visibility and automation necessary to complete the transition. We’ve seen this problem before when organizations had a difficult time making coordinated changes to keys and certificates in response to Heartbleed, and unfortunately I’m sure we are going to see it again."

Published under license from ITProPortal.com, a Future plc Publication. All rights reserved.

Image Credit: Sergey Nivens / Shutterstock