We’re in the final days of what are loosely known as SHA-1 SSL certificates. In certificates of this sort, the cryptographic hash or “message digest” that is used as a digital fingerprint is caclulated, as the name suggests, using the SHA-1 algorithm.

To be a cryptographic hash, rather than just a plain old checksum, an algorithm needs to create a fingerprint that is genuinely hard to forge. In other words, if I take a message M and create a digital fingerprint by calculating f(M) = X, you shouldn’t be able to go backwards from X and figure out anything about M.

You shouldn’t be able to come up with a message of your own, N say, such that f(N) is also X. And you shouldn’t be able to come up with two different messages that have the same fingerprint, where f(A)= f(B) but A is not equal to B.

Unless these conditions are met, the hashing function f() simply isn’t safe enough to use as any sort of digital fingerprint and therefore has no place in cryptography.