Check your Website for SHA1 Migration
NIST (National Institute of Standard and Technology) released a category of Cryptographic hash functions named SHA (Secure Hash Algorithm). The four SHA algorithms are designed differently and named as SHA0, SHA1, SHA2, and SHA3.
SHA0 was published in 1993 with 160bit hash functions. However, SHA0 was shortly replaced with new algorithm named SHA1 due to significant flaw. It was not used in applications. In 1998, two French researchers, Florent Chabaud and Antoine Joux announced an attack on SHA0 in 2^61 operations at the international Cryptography conference. In 2005, Xiaoyun Wang, Yiqun Lisa Yin, and Hongbo Yu cryptographers had announced about a collision in SHA0 in 2^39 operations.
SHA1 was published in 1995 resembles to SHA0 and was widely used in many applications and protocols like SSL, TLS, PGP. The NSA had designed SHA1 which carries 160bit hash functions. In 2005, Rijmen and Oswald announced a collision attack on SHA1 with 53 out of 80 rounds in 2^80 operations. The SHA1 standard was not approved in cryptographic usage after 2010.
SHA2 is a set of two similar hash functions with different block sizes of 256 and 512. SHA256 carries 32bit words while SHA512 carries 64bit words. The NSA has designed SHA2 algorithms and it also contains shortened versions named SHA224 and SHA384. After weakness found in SHA1, Google, Microsoft has approved the use of SHA2 for better data security and integrity.
SHA3 (Keccak) is a cryptographic hash function division of SHA, designed by Guido Bertoni, Joan Daemen, Michaël Peeters, and Gilles Van Assche. SHA3 is not a replacement of SHA2 but NIST has realized an alternative cryptographic hash. SHA3 consists 5*5 array of 64bit words which means 1600bit in total. Keccak was also a winner of the NIST hash function competition held in 2012. SHA3 possesses the same hash length as SHA2.
A collision attack occurs where two same plain text messages have the same hash value; therefore, the software program could not comprehend the changed hash value. This technique allows an attacker to generate a false digital certificate that puts the security of the system at risk and makes it vulnerable.
Almost 59% of all worldwide users use chrome browser; all these will be influenced with this SHA256 update. If your SSL provider does not move an SSL certificate from SHA1 to SHA256, then the browser will show SSL warning in the browser and the user will not be able to connect to the requested page.
A hash value is carried out When a certificate is downloaded to the browser. The hash value depends on how the certificate is signed.CA verifies the hash value at the time of certificate issuance. The hash value of the browser and the hash value of the server should be matched. When hash values match, the server and the identity of a certificate are verified. However, SHA1 was not able to make accurate identification of both hash value and suspicious to collision attack. In this case, the attacker can forge a certificate and falsely verify the server’s identity. Google wants to get rid of this vulnerability, hence Google declared about SHA256 migration.
From the year 2017, SHA256 will be replaced with SHA1 algorithm. The reason behind SHA256 migration is a weak mathematical algorithm because SHA1 is less secure against evolving computer technology and of course, hacking techniques.SHA1 has already deprecated since 2011 by the CA/Browser Forum guidelines. NIST (National Institute of Standards and Technology) also made a publication about to ban SHA1 algorithm.
SHA1 is a hash algorithm published in 1995, which produces a 160bit hash value. The NSA developed SHA1. SHA1 is a part of SHA series and updated version of the forerunner SHA0 algorithm. It is similar to the earlier MD5 algorithm and uses a 512bit block size with a “264 – 1” message size. In SHA1, if someone changes the part of a hash value, it will produce a different hash value. In 2005, Bruce Schneier a cryptographer proved that SHA1 could be broken 2000 times faster than a brute force attack. In 2012, on base of Moore’s law and Amazon web services, Jesse Walker said, SHA1 collision would cost $2M in 2012, $700K in 2015, $173K in 2018, and $43K in 2021. The CA/Browser Forum and NIST found SHA1 vulnerable to collision attack and hence, deemed as an insecure algorithm, which compels the authority to migrate to the SHA256 algorithm.
The SHA256 algorithm was introduced in 2001, which includes sixhash function with hash values (SHA224, SHA256, SHA384, SHA512, SHA512/224, and SHA512/256). The NSA also designed SHA256 algorithm and carries significant changes from its predecessor SHA1 algorithm. It carries major changes from the forerunner SHA1 algorithm. With SHA256, the data authenticity remains secure and stable. Most browsers, OS, mail clients, and mobile phones support SHA2. SHA25656 and 512 carry 32bit and 64bit words. SHA224 and 384 are shortened versions of SHA256 and 512. In 2005, when a security flaw was identified, there emerges a need for strong algorithm; hence, a SHA256 algorithm with strong hash functions was introduced. However, attackers have not succeeded in breaching SHA256.
Below is a table showing the technical parameter that helps easily to judge the difference between SHA1 and SHA256. (source: wikipedia)
Algorithm and variant 
Output size (bits) 
Internal state size (bits) 
Block size (bits) 
Max message size (bits) 
Rounds 
Security (bits) 
Example Performance (MiB/s)[28] 

MD5 (as reference) 
128 
128 
512 
264  1 
64 
<64 (collisions found) 
335 

SHA0 
160 
160 
512 
264  1 
80 
<80 (collisions found) 
 

SHA1 
160 
160 
512 
264  1 
80 
<80 (theoretical attack[29] in 261) 
192 

SHA2 
SHA224 
224 
256 
512 
264  1 
64 
112 
139 
SHA384 
384 
512 
1024 
2128  1 
80 
192 
154 
With the everchanging computer technology and hacking techniques compels respected authority to adopt a novel algorithm to provide a better and safer environment. It is fortunate that SHA2 is safe from collision attack and giant web authorities like Google and Microsoft has shown interest in migrating from SHA1 to SHA2.