SHA1 is officially dead. For everyday users of electronic signatures, SHA1 might not mean much to you but we can assure you, this development is incredibly important!
SHA1 is a hash algorithm - a type of security measure used in popular software across the world. This includes the majority of electronically signed documents.
For over ten years, researchers have been warning about the vulnerability of the SHA1 algorithm. This warning became a reality in February 2017 when researchers demonstrated a real-world attack using two PDF files that despite displaying different content, had the same SHA1 hash.
This means collisions are now possible. In business terms, this translates to SHA1 not being suitable for electronic signatures, file integrity mechanisms and file identification.
Ars Technica has the details. Here at Ascertia, we’ve been aware of SHA1’s weakness for some time and all our products, SigningHub included, have been using SHA256 as the default algorithm for many years.
In our latest eBook, we explain the different elements that produce an electronic signature on a PDF document (PAdES– PDF Advanced Electronic Signatures) and multiple location where hash algorithms are involved. Ensure your e-signed documents don’t use SHA1 in any of these places.