SHA1 "Shattered" Collision

Google's recent announcement of an attack capable of generating SHA1 hash collisions has raised concerns about the security of digital signatures, although it does not seem to directly affect SSL/TLS encryption. The SHA1 algorithm, already on its way out, is still used by Octopus Deploy in generating X.509 certificates for encrypting connections between its server and Tentacle agents. In response, Octopus plans to update its system to use SHA256 for new installations and provide ways for users with existing installations to switch to more secure certificates. While users can immediately mitigate risks by generating their own certificates, Octopus will soon automate this process to ease transitions. Additionally, users are advised to check if SHA1 is used elsewhere in their systems, such as in web frontend or third-party service certificates. The post provides PowerShell scripts for detecting SHA1 certificates, allowing users to enhance their security practices, and highlights a new certificate management feature in Octopus 3.11.