But the tool remains in wide use.
Google researchers have cracked a key internet security tool, and hope their finding will spur an end to widespread use of the encryption method.
The team announced Thursday that they had succeeded in breaking SHA-1, or Secure Hash Algorithm 1, encryption in a use case involving a pair of PDF documents.
What this means is that a method of internet security that has for years been known to be theoretically vulnerable has now been proven vulnerable. And what that means is there’s now a fire under the butts of entities still using the algorithm to finally update their systems to use something else.
Per its vulnerability disclosure policy, Google plans to release the code they used to break the SHA-1 encryption 90 days from now, at which point attackers will basically have an instruction manual for breaking the algorithm. Anyone still using it will be significantly more vulnerable.
“Moving forward, it’s more urgent than ever for security practitioners to migrate to safer cryptographic hashes,” reads a company blog post about the finding.
SHA-1 may be used to encrypt things like electronic documents (including legal documents), payment transactions, emails and email attachments.
The algorithm “is extremely widely used. We can’t quantify it, but SHA-1 is extremely widely used,” said Google researcher Elie Bursztein, based in Mountain View, explaining that SHA-1 has been used for many years “so a lot of people have legacy systems” that incorporate it.
The research was spearheaded by Marc Stevens, on staff at Netherlands computer science research institute Centrum Wiskunde & Informatica. Stevens said his SHA-1 research, funded by the Dutch government, began in 2009.
Google started working with Stevens in 2015, according to Bursztein. He said the company contributed resources pro bono, including infrastructure for computing, engineering time and expertise.
SHA-1’s usage stems back to as early as 1995, when the internet was just becoming mainstream with consumers, according to Stevens. But the cyber security community “didn’t know it was weak, really weak, until 2005, so there was no clear incentive to use something even stronger.”
Ars Technica, which reported on the finding earlier today, cited popular software development management system Git as a major entity that uses the algorithm.
Any software company that has been around long enough, including Google, will have used SHA-1, according to Bursztein. He said Google’s system for critical security does not rely on the vulnerable algorithm.
Subscribe to the Recode Newsletter
Sign up for our Recode Daily newsletter to get the top tech and business news stories delivered to your inbox.