For years, major web browsers like Chrome and Firefox have been planning to block SHA-1 certificates, Now, in 2017, they have ramped up their efforts.
The wait is up. If your site is still using SHA-1 certificates, then visitors to your website in Chrome will be met with this warning. A warning like that will have even your most loyal customers running for safety. In addition to Chrome, other popular web browsers like Mozilla Firefox and Microsoft Edge have joined in blocking SHA-1 certificates in early 2017. Yet despite all the attention about the SHA-1 to SHA-2 transition, as recently as November, 2016, 35% of websites were still using SHA-1 certificates. So why are a full third of websites using insecure cyber-security measures? To answer that question, let’s first go over what SHA is, why SHA-2 is an improvement over SHA-1, and how you can be sure your organization is protected.
SHA stands for Secure Hash Algorithm. It was originally developed by the United States National Security Agency (NSA) and has been adopted as an industry standard for file integrity verification and digital signatures. Basically, it’s a way of knowing that incoming files over an internet or network connection haven’t been tampered with because, theoretically, no two input values should be able to result in the exact same hash output. However, experts have known since 2005 that the original SHA-1 certificate was vulnerable to attack. In response to rising concerns, the NIST (National Institute of Standards and Technology) officially deprecated SHA-1 in 2011. Most recently, on February 23rd, 2017, Google and the Dutch research institute CWI announced that they successfully broke SHA-1 n practice using a simulated collision attack. This breakthrough further underscores the vulnerabilities of SHA-1 as well as the absolute necessity for websites to migrate over to SHA-2 as soon as possible.
SHA-2 has improved certificates specifically designed to prevent harmful breaches such as man-in-the-middle and collision attacks. SHA-2 is actually a collection of six hash functions that exponentially increases an organization’s capacity to identify and guard against cyber attacks. So far, the integrity of SHA-2 certs has been upheld through extensive testing (much like the tests that exposed weaknesses in SHA-1).
Even if you’ve been rolling over to SHA-2 certificates for quite a while, it can be difficult to ensure that there aren’t any expired SHA-1 certificates lurking. Even for an organization of average size, you could have tens of thousands of keys and certificates, and you may not have the visibility and resources to track them all. And implementing a process to identify and rollover every certificate can be daunting and confusing. The truth is, however, unless you have a detailed plan in place to implement, track, and verify the SHA-1 migration process, you may not know that you have expired certificates leaving your business vulnerable to attacks.
As mentioned above, the vulnerabilities of SHA-1 certificates have been known for over a decade. Now, with popular web browsers already blocking expired certificates, the consequences of having hidden SHA-1 certs are immediate and far-reaching:
In addition to these risks, you have an obligation to your customers to protect their identities and the integrity of their transactions with your business. Not only is this good business sense, but having a secure website protects your customers and establishes trust in your brand and service.
The process of switching over to SHA-2 can be chaotic and complex. However, with a plan in place, it can be easier than you’d think. And it’s much better to be proactive about removing expired certificates than trying to fix a broken website. The process of SHA-1 migration can be broken into 7 steps:
1. Establish a migration team.
2. Identify all SHA-1 certificates.
3. Consider the impact of migration on your everyday business operations.
4. Automate the migration of SHA-1 to SHA-2.
5. Make a policy to ensure all new certificates are SHA-2.
6. Implement a “change control” process to ensure accuracy and compliance.
7. Validate your SHA-1 migration through a report, proving the process is complete.
For more information, read our complete 7-step SHA-1 migration guide.
As cyber criminals become more sophisticated, there’s an increased need to be diligent in continually updating security protocol of all your digital assets. Unless you have the in-house team and the resources to stay proactive and updated with all the latest strategies, you’ll always be left hoping you’re lucky enough to avoid attack (until you become so far behind that an attack is inevitable). So is it possible to be future-proof when it comes to cyber security? The most important thing in the short term is to get a plan in place and move things forward toward a complete SHA-2 transition.