Skip to main content
banner image
venafi logo

Replace SHA-1 Certificates Before You Get Hit by Breaches, Fines or Brand Damage

Replace SHA-1 Certificates Before You Get Hit by Breaches, Fines or Brand Damage

replace sha-1
September 6, 2016 | Tammy Moskites
Key Takeaways
  • Popular browsers are already warning users to beware of HTTPS sites that use SHA-1 certificates
  • Browser vendors will begin rejecting secure connections to sites that use SHA-1 in early 2017
  • Organizations that continue to use SHA-1 certificates are at risk of breaches, non-compliance fines, and brand damage

When your browser throws a security warning, do you feel a bit uneasy? Even if you have every reason to believe that the site is safe? Let’s assume that you (like most people) do. You certainly don't want your business partners, customers, or employees to have any doubts about the safety of one of your organization's sites. Unfortunately, it could already be happening. 

Sure, there’s a good reason why popular browsers such as Internet Explorer (IE), Chrome, and FireFox are warning users away from a large number of seemingly legitimate sites. These sites are secured by digital certificates that are signed with the outdated (i.e. vulnerable) SHA-1 cryptographic hash algorithm.

SHA-1 certificates are vulnerable to attack

Way back in January 2011, the National Institute of Standards and Technology (NIST) forewarned organizations of SHA-1's vulnerability. In the years that have passed since that warning, CAs and browser vendors have been coming to terms with the agonizingly slow death of that algorithm. Meanwhile, Venafi has been helping organizations prepare for the eventual demise by locating and replacing certificates that use SHA-1.

But in late 2015, researchers discovered that a successful SHA-1 collision attack could be done for as little as $75,000. Now that these attacks have become affordable, browser vendors are upping their game, actively warning users that sites secured with SHA-1 are not necessarily secure. They then plan to begin outright rejecting SSL certificates that use SHA-1 in early 2017 (Mozilla and Google plan to start rejecting access to sites with SHA-1 certificates as of January 1, 2017, while Microsoft IE and Edge will block sites using SHA-1 as of February 14, 2017) . Mozilla even considered ending support for SHA-1 certificates in Firefox as of January 2016, but reconsidered after evaluating the impact on users.    

How safe is your business from a SHA-1 exploit?

If you are assuming that your organization has already moved away from SHA-1 to SHA-2 or SHA-3, you may want to check with your IT staff to be sure. Surprisingly, the SSL Pulse Project, which surveys the SSL implementations of the world's most visited websites, found in October 2015 that 24% of 143,000 popular sites were still using SHA-1 certificates. And here at Venafi, we’ve found that many global enterprises are still struggling with their SHA-1 migration. The odds are pretty good that at least some of your organization's sites—and probably some of its applications, too—still use SHA-1.

This observation isn't meant to belittle your hard-working IT staff's judgment or motivation. Migrating from SHA-1 to a more secure algorithm isn’t as straightforward as it would seem. For one thing, enterprises typically have more than 23,000 certificates to manage. For another, some legacy applications simply don't support SHA-2 or SHA 3.  

What’s the real impact of a stalled SHA-1 migration?

Despite the difficulty factor, your organization must complete the migration as soon as possible. This issue is bigger than just a warning in a browser address bar that gives a negative perception of your organization's trustworthiness (although this is enough—no business wants to lose customer confidence).

An even bigger concern is that SHA-1 leaves your organization vulnerable to breaches and non-compliance fines, both of which are immediately destructive. Of course, breaches and fines do have a way of inevitably circling back to further tarnish your organization's reputation as well.

Given these looming consequences, if you haven't already started your migration to SHA-2 or SHA-3, ask yourself—what are you waiting for? It’s late to start now. But not too late.  

How can I accelerate my SHA-1 migration?

Not sure where to start? Check out the blog post, Still Using SHA-1? It’s Time to Switch! This post discusses how to start your SHA-1 migration. Your IT team should also read the migration guide, "How to Migrate to SHA-2 Now," which contains a 7-step plan for successfully migrating SHA-1 implementations to SHA-2 or SHA-3. If you need further help with your organization's migration, please contact us. We can help you even if your organization has limited IT resources for this project.



Like this blog? We think you will love this.
SHA-1, SHA-2, tls certificates
Featured Blog

Microsoft and Apple Signal the Ultimate Death of SHA-1 [Are You Ready?]

Why is a bad idea for enterprises to continue to us SHA-1?

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Tammy Moskites
Tammy Moskites

Tammy is Managing Director, Senior Security Executive at Accenture. She has 30 years of experience and is noted for her expertise leading IT security organizations. She was previously the CIO/CISO of Venafi Inc.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more