SHA (short for Secure Hash Algorithm) is a set of hashing functions that has been around for quite some time. You have probably heard of SHA-1, possibly its most famous version and the most used one. It is also a very interesting one if you like conspiracies: SHA-1 supposedly improves the security of its predecessor, but the alleged vulnerabilities in SHA-0 were never disclosed as far as I know. If you add the fact that SHA-1 was developed by no less than the NSA, then you have a nice recipe for a nice conspiracy discussion.

Anyway, SHA-1 is not secure anymore. Computer processing power has been increasing steadily and it’s easier now to brute-force SHA1 than it was just a couple of years ago. To make things clear from the start, a hashing algorithm is considered broken when a collision is found, i.e. when two different input texts resolve into the same hashed string. SHA-1 produces a 160-bit hash, so brute-forcing SHA-1 would require 2^80 applications of the algorithm to find two different texts that resolve to the same hashed string. However, a cryptanalytic attack against SHA-1 has been discovered which would bring this number down to 2^69, still a big number but much smaller than the previous one.

Therefore, Google recently announced that they will be gradually sunsetting SHA-1. Basically, if your site’s SSL certificate is still using SHA-1, Chrome will gradually show it as less and less secure to your visitors, depending on the certificate’s expiry date and Google Chrome version. For some more details on this timeline, here is a nice infographic by Entrust that shows the process. Also have a look at the full article for some more in-depth information.

The bottom line is, you don’t want your website to be one of those with the big red X next to its name. Migrate to SHA-2, and do it now.