In late February 2017 Google experts along with the Dutch Centrum Wiskunde & Informatica (the center of math and informatics) proved that SHA-1 is vulnerable to collision attacks.
In other words, hackers, using SHA-1 hash collision can create a fake file with the same SHA-1 hash as the original file.
But that should not come as a surprise. Experts have been talking about the vulnerability of the SHA-1 for more than ten years. Google, Microsoft, Mozilla and Apple have all announced that their browsers will stop accepting SHA-1 certificates by 2017. Most of certifying centers will stop supporting the SHA-1 as of 2017 as well. But it seems this information does not bother website owners. Venafi specialists conducted a research, and the result shows that one in five websites are still using the SHA-1 certificate.
“I suppose, most organizations don’t know they are using the SHA-1 certificate in their networks, since they rely on the solutions provided by certifying centers. The problem with this solution is that any employee of the organization can install certificate with weak secure hash algorithms,” – Said a Venafi specialist Shelley Boose