Skip to main content
banner image
venafi logo

SHA-1 Deprecation

SHA-1 Deprecation

SHA1 Deprecation is Here

For years, major web browsers like Chrome and Firefox have been planning to block SHA-1 certificates, Now, in 2017, they have ramped up their efforts.

content not private.png

The wait is up. If your site is still using SHA-1 certificates, then visitors to your website in Chrome will be met with this warning. A warning like that will have even your most loyal customers running for safety. In addition to Chrome, other popular web browsers like Mozilla Firefox and Microsoft Edge have joined in blocking SHA-1 certificates in early 2017. Yet despite all the attention about the SHA-1 to SHA-2 transition, as recently as November, 2016, 35% of websites were still using SHA-1 certificates. So why are a full third of websites using insecure cyber-security measures? To answer that question, let’s first go over what SHA is, why SHA-2 is an improvement over SHA-1, and how you can be sure your organization is protected.

Browse a specific category by clicking on any of the quick links below:
What are SHA Certificates?

SHA stands for Secure Hash Algorithm. It was originally developed by the United States National Security Agency (NSA) and has been adopted as an industry standard for file integrity verification and digital signatures. Basically, it’s a way of knowing that incoming files over an internet or network connection haven’t been tampered with because, theoretically, no two input values should be able to result in the exact same hash output. However, experts have known since 2005 that the original SHA-1 certificate was vulnerable to attack. In response to rising concerns, the NIST (National Institute of Standards and Technology) officially deprecated SHA-1 in 2011. Most recently, on February 23rd, 2017, Google and the Dutch research institute CWI announced that they successfully broke SHA-1 n practice using a simulated collision attack. This breakthrough further underscores the vulnerabilities of SHA-1 as well as the absolute necessity for websites to migrate over to SHA-2 as soon as possible.

What’s the Difference Between SHA-1 and SHA-2 Certificates?

SHA-2 has improved certificates specifically designed to prevent harmful breaches such as man-in-the-middle and collision attacks. SHA-2 is actually a collection of six hash functions that exponentially increases an organization’s capacity to identify and guard against cyber attacks. So far, the integrity of SHA-2 certs has been upheld through extensive testing (much like the tests that exposed weaknesses in SHA-1).

How do I Know if my Organization has any Expired Certificates?

Even if you’ve been rolling over to SHA-2 certificates for quite a while, it can be difficult to ensure that there aren’t any expired SHA-1 certificates lurking. Even for an organization of average size, you could have tens of thousands of keys and certificates, and you may not have the visibility and resources to track them all. And implementing a process to identify and rollover every certificate can be daunting and confusing. The truth is, however, unless you have a detailed plan in place to implement, track, and verify the SHA-1 migration process, you may not know that you have expired certificates leaving your business vulnerable to attacks.

What are the Risks of Having Hidden, Expired SHA-1 Certificates?

As mentioned above, the vulnerabilities of SHA-1 certificates have been known for over a decade. Now, with popular web browsers already blocking expired certificates, the consequences of having hidden SHA-1 certs are immediate and far-reaching:

  • Increased risk of a collision attack or man in the middle attack.
  • Added risk with the presence of wildcard SSL certificates.
  • Getting your website blocked on popular web browsers.
  • Loss of revenue from customers who are blocked from visiting your site.
  • Loss of future business as people lose trust in your brand.
  • It’s much more difficult and expensive to fix the problem after you’ve been blocked or fined (or worse, experienced a cyber attack) than it is to rollover to SHA-2 beforehand.

In addition to these risks, you have an obligation to your customers to protect their identities and the integrity of their transactions with your business. Not only is this good business sense, but having a secure website protects your customers and establishes trust in your brand and service.

How to Make the Switch and Completely Rollover to SHA-2 Certificates

The process of switching over to SHA-2 can be chaotic and complex. However, with a plan in place, it can be easier than you’d think. And it’s much better to be proactive about removing expired certificates than trying to fix a broken website. The process of SHA-1 migration can be broken into 7 steps:

1. Establish a migration team.

2. Identify all SHA-1 certificates.

3. Consider the impact of migration on your everyday business operations.

4. Automate the migration of SHA-1 to SHA-2.

5. Make a policy to ensure all new certificates are SHA-2.

6. Implement a “change control” process to ensure accuracy and compliance.

7. Validate your SHA-1 migration through a report, proving the process is complete.

For more information, read our complete 7-step SHA-1 migration guide.

Is Future-Proof Cyber Security a Possibility?

As cyber criminals become more sophisticated, there’s an increased need to be diligent in continually updating security protocol of all your digital assets. Unless you have the in-house team and the resources to stay proactive and updated with all the latest strategies, you’ll always be left hoping you’re lucky enough to avoid attack (until you become so far behind that an attack is inevitable). So is it possible to be future-proof when it comes to cyber security? The most important thing in the short term is to get a plan in place and move things forward toward a complete SHA-2 transition.

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more