Venafi Research: Twenty-One Percent of Websites Are Still Using Insecure SHA-1 Certificates and Putting Users at Risk
March 7, 2017
Despite January deadline for SHA-2 migration, more than 1 in 5 certificates for unique IP addresses are still using SHA-1 as the signature hash algorithm.
New research from Venafi® Labs shows that 21 percent of the world’s websites are still using certificates signed with the vulnerable Secure Hash Algorithm, SHA-1.
On February 23, 2017, Google affiliated security researchers announced they cracked the SHA-1 security standard using a collision attack. The incident proved that the deprecated cryptographic secure hash algorithm still used to sign many website digital certificates can be manipulated. Newly issued certificates using the SHA-2 family of hash functions solve these problems, but Venafi Labs’ research shows that many companies have not replaced all their certificates with ones signed by SHA-2. This leaves organizations open to security breaches, compliance problems, and outages that can affect security, availability, reliability and even profits.
“The results of our most recent analysis are not surprising,” said Kevin Bocek, chief security strategist for Venafi. “Even though most organizations have worked hard to migrate away from SHA-1, they don’t have the visibility and automation necessary to complete the transition. We’ve seen this problem before when organizations had a difficult time making coordinated changes to keys and certificates in response to Heartbleed, and unfortunately I’m sure we are going to see it again.”
Web transactions and traffic may be disrupted in a variety of ways due to use of insecure SHA-1 certificates:
Browsers will display warnings to users that the site is insecure, prompting users to look for an alternative site.
Browsers will not display the ‘green padlock’ on the address line for HTTPS transactions; consumers rely on this icon as an indication that online transactions are secure and private.
Sites may experience performance problems; in some cases, access to websites may be completely blocked.
In addition to the serious impact on user experience, websites that continue to use SHA-1 certificates are likely to experience a significant increase in help desk calls and a reduction in revenue from online transactions as users abandon websites due to security warnings.
Chrome Security Warning
Firefox Security Warning
Opera Security Warning
Safari Security Warning
Encryption is required for private and secure communications and transactions. Digital certificates are used to identify and authenticate machines and establish encrypted sessions between users and websites. Digital certificates also verify that the website to which the user is connecting is legitimate and all web browsers use certificates to determine what can and can’t be trusted during online transactions. This is particularly critical in transactions that include sensitive data such as eCommerce and online banking.
In February 2017, the Venafi Labs research team analyzed data on over 33 million publicly visible IPv4 websites using Venafi TrustNet™, a proprietary database and real-time certificate intelligence service. This research discovered that more than 1 in 5 certificates for unique IP addresses are still using SHA-1 as the signature hash algorithm.